Gooken - ssl-encryption for your connection to the search-engine of Gooken
Gooken - addurl: add an URL of a website, even if it is not referring to our main themes
Gooken- code-integration of input-fields for words and text into your menus and websites
Gooken - download in the size of around some hundred KB only (some thought it were 100)
Gooken - high placement - if you want to place the index for your websites quit on top


1000%


intro


c-s-19-1986


Null Problemo: "If you do not know, how to go on, you have two possibilities: either you explode, or you cry for help. / Wenn man nicht mehr weiter weiß, hat man zwei Möglichkeiten: entweder man explodiert oder schreit nach Hilfe" (Magnum, TV-Serie, Januar 2016).

"All people confident with the 80th know, that USA is a criminal state, who takes his superiority ... / Allen mit der Geschichte der vergangenen 80er Jahre vertrauten denkenden Menschen ist doch bekannt, dass die USA ein verbrecherischer Staat ist, der seine Übermacht mit ..."
www.compact-online.de/us-strategie-weltpolizei-oder-beobachtender-raushalter

And when even my mother meant (decades ago): "We are no give-away-institution for the germans and no social station of the USA!", ...

Gooken-The_Green_LED


Step 1 - Multiple Protection - The Basic Security Level, report from Gooken.de, the Meta- and local Internet Search Engine with the online excurs "IT-Security"

starting situation | groundworking theory - the security-functions | The essential idea | ISO-LSB-OpenSource with Changelogs | beautiful KDE (4.4.5, mdv, el6: "The cows are prettier than the girls!") | Hardware: driver, support, hardware-databasis | SSD optimization | seachengine/Gooken | data bases | anonymous proxy | fundamental theory | security concepts | data backup and restore | Ad- resp. Scriptblocker: blocking everything | (no) updates (at last up from year 2026, "UNIX", german: "you? no.": Miro´s suneater has spoken so far, hugh!): "UNIVERSAL-LINUX" on the DAILY UPDATE-PATCH-CHANNEL (el6, el7, rosa2014.1) | Secure and stable "Universal-Linux": updates and actualizations for Enterprise Linux (el) resp. Fedora Project resp. CentOS 6 (el6) and Mandriva | emulation of MS Windows | No Defragmentation essential | News&Links: Security for MS Windows | News&Links: Security for Smartphones | update firefox | msec-security-levels ( level.secure: no-remote-root-login, no root-login, ... and perm.secure) | msec -MAC Tomoyo-Linux (mdv2010/el6) - Advanced Acess-Control for the process-interaction | Ordinary access control as part of msec | ACL - Advanced Access Control on files and directories for user and groups to prevent brakes for example | /etc/passwd - allen entkommen: no login-shell accessible | Linux-Sandboxes: docker and firejail: to start programs going online | Root-Partition with enough memory free | Root-Partition read-only | New Kernel - Howto install and Howto patch Kernel-Source | full system encryption (FSE) by LUKS | encrypting methods | LAN: connecting Linux- and Windows-hosts, file release | anti-hacker and anti-trojan iptables/Linfw3 | additional filter-concepts | Konqueror: integrated script- and adblocker, importable filter list from our update-side | system integrity check: IDS (intrusion detection systems): incron, iptables by psd (linfw3), aide, ... | installation following rootkit-scan | Session | Anonymized (and encrypted) name resolution without censorship and surveys by DNS-Proxy pdnsd with dnscrypt-proxy and /etc/hosts | Goal or own goal (Tor oder Eigentor)? TOR, the onion-router: Anonymization-Network | Program troubleshooting | Network Troubleshooting | News&Links: network-security | X-Troubleshooting (x11-server) | Printer Troubleshooting (CUPS), Clever and Smart: All for the "little elephant" | News&Links: All (and more) about the computer, repair, network, printer, tips and tricks, more Troubleshooting | single methods and repair | WLAN | CIAO hardware-problems! Just hot and still functioning today: datasheed "certified lifetime-hardware" (energy saving, mouseclick-fast): Operating System: mdv2010.2 updated with CentOS/EPEL (el6, el7) and Rosa on the update-channel pro-linux.de, All-in-one-Mainboard (Mini-ITX-220/ASUS-Express 945GC/ICH7 (2009/2010) with classical 1,2GHz-64-bit-Celeron-CPU up to 8 GB DDR-2 and INTEL GMA 950, 82945G/GZ Integrated Graphics Controller, max. 224MB 4800×1200 px, Atheros-Gigbit-Ethernet-LAN-Chip, VIA VT 1705 High Definition Audio-6-Kanal-HD-Azalia-Audio CODEC Soundsystem, 19W, socked and crashfree EZ-Bios AMI, 6×USB 2.0, MS Windows 7- and Linux-tested, 29,95€), 18,5 inch (48 cm) Ultraslim WLED-TFT-Monitor Brilliant Display (18W, 95€), SSD (1W, 128GB, 30&euro,), Steel-Computer-Tower with tower-cooler and front-LEDs, 4,95€, netadapter SL-A 500 W (19,95euro;), ...| Hardware (quit) for free | Hardware for free | Energy power for free (pyhsical motion incl.) | World culture shame: Defrustration and dereaction for free | Sex for free | money for free, country for free ("A revolution never took place", Niko.L.), system for free (FED, EZB, Draghi & Co.) | Everything for free | Complains and ads for free | mdv2010-final: Printer, Printer-Troubleshooting | MS Windows: Tips and Tricks for more security | More than 1000 Linux-Top-Games (mdv2010 resp. rosa2014): OpenGL, SDL, PyGames and more | mdv-2010-final: Software (65 GB + 50 GB (26 DVD ) | CIAO hardware-problems! mdv-2010-final: powersaving hardware (stable and mouseclick-fast) | News&Links#Computer | Everlasting Browser Konqueror: Download Konqueror-Update ( all rpm-based distributions? )|Computer | Monitor | Printer / Drucker | SSD | Network / Netzwerk | Smartphone | MS Windows Advertisement | spends, thanksgiving and quiz | Society - Computer - The Huge Fun of Sun Eating | Society - Niue-Muenzen - Pay with Mickey Maus! | No Horror in Sodom and Gomorrha: Weak point human ( technical and human failures: weak point human, weak point interest-groups, interest conflicts, EU-lobbyism, weak point western countries, weak point "Germ-any" and other western countries ) - Society Report, Part 1-6 | Society, Part 2 - Crawler´s Century (Book) | Society Part 12 - Superrich.de (Forbes) - She got eyes of the bluest sky - and when there comes the rain ... ( open eye sleeping performances and arts ) - wet, wet, wet! | Beauty on Gooken: 1000× more beautiful than you: Marching to die - Narcissism into death Ads | ... unimprovable? News&Links | BACK


IT-Security is the kind of "game"; to reach the highest IT security level as possible. Its aim is to escape from the sun-eating of the evil suneater ("computer"), by mutating him (the suneater resp. "computer") into a real computer - including its boundarires resp. connections within all his nets... ( do not ask us for all the people having already lost this "game" ...). We´d like to play it in the manner of the popular game "Mensch-ärger-Dich-nicht": hook by hook :

OKGooken provides 1000% IT-security: Just follow these green hooks!

From our line, this (troubleshooting) excurs

Intro


Get rid of all problems with your computer! You won´t have any troubles with your computer and computer-system anymore! This became really possible since 2010 Enterprise Linux resp. "Universal Linux" was released upon the hardware listed in our section data sheed! Only the installation process will make its efforts. Of course you have to update the system with Enterprise Linux:
Gooken presents you "Universal Linux" especially on the base of the longer than 10 years updated Enterprise Linux 6, 7 and 8, CentOS C6, C7,. .. ( Fedora Core, RHEL6, CentOS 6 resp. Scientific Linux 6) and/or resp. additinally the Mandriva-derviates (Mandriva2010.2-2012, Mageia 1-7, Rosa2014.1, 2016.1, PC Linux OS (pclos)) and some Slackware (slack 14.2) and OpenSuSE (Thumbleweed, 15.2, 15.1, 15.0) including KDE-Desktop-Environment (KDE) and other Desktop Environments - the 1000% secure made computer operating system, full of surface covering, prototyped, almost rpm-based software, incl. emulators for many programs for other operating systems, together with the belonging everlasting lifetime-hardware running mouseclick-fast upon "Universal Linux" on low power consumption and lowest costs listed in data sheed from left menu - and all quit for free!

Gain your trust back, and gain the trust in you back!


1000%05.26.2020, since 2010: Computer without needing any care: (paranoid-) secure and standarded stable computer-system, self-repairing, free from wide restrictions, total free from maintenance, surface covering opensourced software, with emulators and virtual machines of many operating systems, always mouseclick-fast (free from hacker and trojan etc.), most comfortable, endless durable (lifetimed soft- and hardware), power-saving, free from royalities and all in all (quit) for free; presented by Gooken

supportGooken - the at times breaking full, large "china restaurant"... Do you want the everlasting peace with your computer as a system (backported Fedora Core (fc): updates from year 2010-2026 resp. lifetime) with covering software (backported too) on powersaving and cheap lifetime-hardware, providing the incredible high security level? Contribute to Gooken for the manufacturing of the (consistent) IT-security-standard! For correspondent please click here!

Spend or pay Gooken by PayPal.me :

Spend or pay Gooken by Paypal.me: Please click here!

Alternatively spend by our bank correspondence see impressum or contact us: You can buy the complete rights of Gooken (over all websides and products) to become its owner for some septrillions per agreement, more details with "News&Links" from left menu!

OK (Planned in future) Vienna, net-communiciaiton: Free from eavesdropping with the help by quantum physics?, tagesschau.de, 16.12.2018
Whoever communicats in the internet with eachother, he leaves tracks within the internet without fail. Research scientists from Vienna invented a new method making communication free from eavesdropping even in larger networks.
In future the quantum cryptography enables a eavesdrop-free communication in the internet. Researchers from Austria have - following their own descriptions - made the important step. It managed them to keep four members of a network communicate free from eavesdropping. Scientists around Rupert Ursin from the Institution for quantum optics and quantum information of the academia of sciences in Austria introduced their research in the british expert report "Nature".
https://www.tagesschau.de/ausland/quanten-101.html

Surveillance
36 millionen Euro: ZITiS builds supercomputer for encryption
, netzpolitik.org, 16.10.2018
The hacker-authority ZITiS in Germany intends to buid a supercomputer for the deciphering of encrypted um data. This follows the 36 Millionen Euro lasting draft budget of the authority we ar publishing. ZITiS still searches for state-hacker, while actually only half of the places for this work are staffed.
German Federal Ministry of Internal State

Survey of the internet node: DE-CIX sues BND, Tagesschau, 22.04.2015
The BND is taken into response before law for his surveys of the net-node DE-CIX in Frankfurt at Main. The holde of the node is going to sue. Criticizer do also sue the government for making tricks. Arond thre terabit data per second are passed and overworked, an amount of 600 CD-Rom. To the customers count all big internet companies like the Deutsche Telekom, Vodafone and Verizon, more details see Links, section "NSA, GHCQ & Co.".

... one more exception of our promise "Gooken 1000% - 1000% IT-security for your computer" grounds in webside code. Although tracking-scripts resp. JavaScript can (and should) be deactivated, information still are and can be stored in local as much as spreaded out into any PHP-MySQL coded databasis. Local isn´t the problem, but nevertheless, for this distribution of information into all kind of foreign databasis, an unusual release of the databasis-passwords is required,
but we really assume, they do!


But the exchange of DNS-information, canvas fingerprinting and the storing of the browser-user-agent-specification can be prevented as much as anonymizing proxies do, especially like TOR and/or maybe some VPN (Virtual Private Networking) at last for the anonymization of the IP !

An important part for the securty is taken by Linux-filesystems like btrfs and ext4 and our iptables- and ebtables-firewall linfw3 !

Beneath this we especially want to contribute on our websites to your choise of the right computer-hardware, the securing configuration of UNIX/Linux and the right choice of TOR--Nodes (so called EntryGuards and ExitNodes resp. Relais), in the last case even by the specializing sides News&Links! For more questions and questions of all kind of any matters our secure search engine Gooken wants to do its best.
Overwhelming, already everywhere published floods of information, reports over reports (material) out of the well-known best and very best sources within our section News&Links at last gives you one of the best opportunity ever to do something against responsible dangerous instances, more than endangering countries (like especially USA), companies, mandants, clients and persons by name - even by processing right before law against, what already has become deep, deep reality for decades!
What our party concerns, please do nothing but notice our general disclaimer!
So far our short description, the summary of Gooken!


The time before Gooken, time before "Universal Linux 2010" - Computer "Es geht (ging) kaum noch kaputter"


From News&Links#Intro#RocknRolf#tradit.

"The all destructive power"

StarWars "Atomic warheads...

what obviously might describe nothing but similar to our Suneater by Miro.

OK"Let´s go!"

Linux - time before Gooken´s "Universal Linux ( in main: CentOS 6 resp. Scientific Linux 6 from year 2010 with updates to 2020 and longer )"
"Thanks, Linux": You have made Microsoft rich!
, Gooken.de:

Alles rund um MAC OSX und Linux, http://www.trojaner-board.de/sitemap/f-13.html:

BUUUäääääH! This is the same dirt as Win-stupid... :(
where is my rubbish?
Converting to Linux Mint - the screen colors - everything grayed out!
...
More of this indeed quit infinite long listing:
https://www.trojaner-board.de#MAC_and_Linux-Troubleshooting
News&Links#Computer
Newsgroup: alt.linux.suse
Exkurs#Universal_Linux_by_Gooken
Listing für MS Windows: News&Links#MS_Windows _Troubleshooting

From News&Links#alternatives



And if, such decades ago, even my own mother meant... / Und wenn vor Jahrzehnten sogar die eigene Mutter zum Thema Maja Schmidt aus Voerde schon meinte " Wir sind keine Verschenkanstalt der Deutschen und keine Sozialstation der USA !", dann frage ich mich, ob das eigentlich nicht stimmt.

OKContaminated
Coronavirus cares for the increase of malware
, trojaner-info.de, 06.15.2020
https://www.trojaner-info.de/aktuelles/feature/coronavirus-sorgt-fuer-anstieg-der-malware-bedrohungen.html
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/malware-verseuchte-lebenslaeufe-und-krankschreibungen-in-umlauf.html

"All people confident with the 80th know, that USA is a criminal state, who takes his superiority ... / Allen mit der Geschichte der vergangenen 80er Jahre vertrauten denkenden Menschen ist doch bekannt, dass die USA ein verbrecherischer Staat ist, der seine Übermacht mit ..."
www.compact-online.de/us-strategie-weltpolizei-oder-beobachtender-raushalter OKAgainst Corona: 3D-printer print out protective masks and valves, PC-WELT.de, 30.03.2020
Face protection, protective masks and valves for mouth-to-mouth resuscitation devices can be printed out by the 3D-printer. Either from private users or from the German Center for air and space flights DLR.
https://www.pcwelt.de/news/Gegen-Corona-3D-Drucker-drucken-Schutzmasken-und-Ventile-10782123.html
News&Links: more against corona virus

OKCoronavirus: Virus-infection by smartphones, fitness-tracker & mainboards?, PC-WELT.de, 01.29.2020
Kann man sich mit dem Coronavirus über Smartphones, Fitnesstracker, Smartwatches, Hauptplatinen, Speicherbausteine und Prozessoren aus China infizieren? Ist es also gefährlich, wenn man sich ein neues Smartphone an den Mund hält? Das sagen die Experten. Plus: Wie war 2003 die Situation mit SARS?
[...] Das Robert-Koch-Institut hat diesen wichtigen Punkt gestern (offensichtlich kurz nach unserer diesbezüglichen Anfrage oder zumindest zeitgleich) in seine FAQ zum Coronavirus aufgenommen, allerdings sehr ausweichend formuliert:
" Frage: Besteht die Gefahr, sich über importierte Lebensmittel oder Gegenstände mit dem neuartigen Coronavirus (2019-nCoV) anzustecken?
Antwort: Eine Infektion über importierte Waren ist sehr unwahrscheinlich, da im Vorfeld eine Kontamination stattgefunden haben und das Virus nach dem weiten Transportweg noch aktiv sein müsste. Ob das neuartige Coronavirus in flüssigem oder getrocknetem Material mehrere Tage infektionsfähig bleibt, ist unbekannt. Dem Robert-Koch-Institut sind keine Infektionen durch importierte Gegenstände oder Lebensmittel bekannt.
https://www.pcwelt.de/news/Coronavirus-Sind-Smartphones-Fitnesstracker-Hauptplatinen-gefaehrlich-10745531.html

Coronvirus: Kitas and schools. Can they ever open again?

German Corona-Hotspot
"Heinsberg-Study": The amount of infected ones in Germany might be ten times higher than ever thought of
, STERN.de, 04.05.2020
https://www.stern.de/gesundheit/-heinsberg-studie---zahl-der-infizierten-in-deutschland-womoeglich-viel-hoeher-9249388.html

Corona Live-card shows horrified picture: europe beames a disaster area
https://www.chip.de/news/Corona-Live-Karte-zeigt-erschreckendes-Bild-Europa-wird-zum-Katastrophengebiet_180457316.html

"The world is set lamed", STERN.de, 21.03.2020
https://www.stern.de/reise/deutschland/tourismus-in-zeiten-der-coronakrise---die-welt-ist-lahmgelegt---sagt-ury-steinweg-von-gebeco-9190342.html

He compared corona with a normal influenza, 03.04.2020
The US-president...
https://www.tagesschau.de/faktenfinder/faktenchecks-corona-101.html

From News&Links#Trump

Trump is more dangerous than even Putin, Kim, Xi and Chamenei, Freenet. de, faz.net and many other sources, 25.12.2019
... result from a survey
https://www.freenet.de
https://www.infranken.de/ueberregional/deutschland/umfrage-trump-gefaehrlicher-als-putin-kim-xi-und-chamenei;art14268,4697373
https://www.esslinger-zeitung.de/deutschland-welt/topthemen_artikel,-umfrage-trump-gefaehrlicher-als-putin-kim-xi-und-chamenei-_arid,2301595.html
https://www.msn.com/de-de/nachrichten/politik/umfrage-trump-gef%C3%A4hrlicher-als-putin-kim-xi-und-chamenei/ar-BBYkoUC
https://www.faz.net/agenturmeldungen/dpa/umfrage-trump-gefaehrlicher-als-putin-kim-xi-und-chamenei-16552520.html

More than 120.000 corona-infected persons - on the whole world there are more more corona-infected than in USA
Record amount of corona-infected
The worse is still coming for USA
, tagesschau.de, 29.03.2020
https://www.tagesschau.de/ausland/coronavirus-usa-113.html

Coronavirus-pandemy
++ More than 65.000 Corona-dead in the USA ++
, tagesschau, 02.05.2020
Laut Johns-Hopkins-Universität gibt es mehr als 65.000 Corona-Tote in den USA. Die Grünen beginnen ihren Internet-Parteitag. Sachsen-Anhalt lockert die Corona-Beschränkungen. Alle Entwicklungen im Liveblog.
https://www.tagesschau.de/newsticker/liveblog-coronavirus-samstag-107.html

Warning against the big insane unkown, CVJM e.V., the 80th

Advisor Corona-Virus, CHIP, 19.04.2020
On this webside we answer the most important questions all around the corona-virus and give you helpful tips, howto survive these times well. Get more to know about the actual amount of infections on sides of the German Health Ministery Government. More infos about the riscs can be found from the Robert-Koch-Institut.
https://www.chip.de/thema/Ratgeber-Corona-Virus_182532817.html
Support the corona-virus research on your PC, howto: https://www.chip.de/news/Coronavirus-Forschung-am-PC-unterstuetzen-So-gehts_182521317.html

New Open-Source-projects for the fight against COVID-19, Pro-Linux, 19.03.2020
For the combat against COVID-19-pandemic there are provided free software-projects. Some of them were released now by universities and companies.
https://www.pro-linux.de/news/1/27886/neue-open-source-projekte-zum-kampf-gegen-covid-19.html

Horrible Coronavirus-tracker encrypts smartphones: Howto unlock the handy again, CHIP, 16.03.2020
https://www.chip.de/news/Fieser-Coronavirus-Tracker-verschluesselt-Smartphones-So-entsperren-Sie-das-Handy-wieder_182551635.html

Myths about coronavirus
Global bogeyman Gates
, tagesschau.de, 20.04.2020
He would control and steer the human kind per microchip, would earn a lot of money with serum and were the man behind coronavirus: The billionaire Bill Gates has become the global falling guy resp. scapegoat.
https://www.tagesschau.de/faktenfinder/feindbild-gates-101.html
More about this theme: Gates and corona: Philantropist or money maker?, https://www.tagesschau.de/faktenfinder/ausland/gates-stiftung-corona-101.html
The dangeous power of corona-myths, https://www.tagesschau.de/investigativ/ndr-wdr/fake-news-corona-101.html
Conspiracy myths: The legends about the "corona-swindle", https://www.tagesschau.de/faktenfinder/corona-schwindel-101.html

From News&Links#Computer

Do we all get radiated?

Hard to stand the voltage: They think, electric radiation is making them ill: Read, how electro sensible live
, STERN.de,
Ulrich Weiner suffers. He is convinced, electric radiation is making him ill. Therefore he lives in a broadcast hole, in a container, in the offside. Our reporter has powered her handy off and visits him.
The forest is his home. Thereby Ulrich´s greatest wish is, to get back again. In his home in a radiation hole. This is what he tries for years. Without any success.
It is not easy to meet this man. Ulrich Weiner has got no telephone and no permanent residence. He lives offside in a radio gap within the Schwarzwald. He does not want to tell us the exact location, because of his fear, that even this refugium will be taken from him too. Radio gaps became rearly last years. Therfore we arranged a meeting with his contact person, Monika, next a petrol station in the southernst corner of Germany. She is the one leading us to him.
Through nebulous hills Monika drives in the front of us, deeper and deeper into the dinglel. There the forest becomes always deeper and the handy receipt always bader. Suddenly there is no receipt anymore. And we are on our goal. We turned of the handies. When do I have...
https://www.stern.de/lifestyle/jwd/jwd-magazin--elektrosensibilitaet---ein-leben-im-funkloch-8125696.html

77 5G-transmitter masts burnt off - because of conspiracy theory, PC-WELT.de, 10.05.2020
The amount of trasmitter masts burnt of in transmitter masts burnt off in Great Britain during the corona crisis did increase.
https://www.pcwelt.de/news/77-5G-Sendemasten-von-Corona-Verschwoerungstheoretiker-abgefackelt-10806426.html

Danger through 5G: Does it kill us?, PC-WELT.de, 20.04.2020
5G should be guiliy of Coronavirus and other effects on deleterious for health. What´s the truth about it?
[...] There are more than 24.000 studies about the effects of radiation waves. Sceptics would ask: "Why so many studies, if there is no danger?", while the other ones say: "So many essays, but no evidence against it.".
[...] Would you die because of 5G? There are no evidences for it.
Can we say, that it causes harm Not upon the actual level.
Dieser Beitrag erschien zuerst bei unseren englischen Kollegen auf techadvisor.co.uk
https://www.pcwelt.de/international/Gefahr-durch-5G-Wird-es-uns-toeten-10787174.html
EU warns against new dangers of 5G, https://www.pcwelt.de/news/EU-warnt-vor-neuen-Gefahren-durch-5G-10681575.html

OKAgainst Windows-problems: This tool repairs your Windows automatically, CHIP, 19.04.2020
Windows-problems can have many causes, that can be found out only with difficulties. That makes it hard for Windows-user to make Windows run fine again. A gratis tool tries to repair Windows full automatically.
https://www.chip.de/news/Gegen-Windows-Probleme-Dieses-Tool-repariert-Windows-automatisch_104040411.html

Video
Galaxy-killer of vegan leather? The Oppo Find X2 Pro in test
, CHIP, 19.04.2020
https://www.chip.de/test/Oppo-Find-X2-Pro-im-Test_182588675.html

From News&Links#Children

Kinder-Tracking, digitalcourage.de, gesehen am 09.09.2018
The BigBrotherAward 2012 in the category "communication" went to the cloud as a trend to remove users the control about their data. Laudatio from Rena Tangens.
PM: "Schutzranzen":New version is not a solution than a problem
https://www.digitalcourage.de
https://digitalcourage.de/kinder-und-jugendliche

Last true-honest one from the police?
Man of the future, victims of the past
1981/82, Someone´s (No-) Return: Someone has won the election. , and the police officer from the LKA can´t bear to look anymore
, from News&Links#Children, interview "Im Dritten" (WDR) about organzized criminality, the 80th
Puuh, how dizzily and going bad he were. More decades ago, he, a police officer from the LKA stood right before the sending TV-camera in WDR (with its texts just to read) for an inteview about organized criminality in the future, where he put his hands into the head rubbing his eyes - as if he could not bear to look in the future, nearly beginning to weep, - more than unusal for a high ranked police officer, causing him problems to answer the frequently asked questions. As if the unexpecting expecting all of us - he was not able to speak about - all would be so horrifying".
Mr. police officer, what all is expecting us since 1981/82, especiall following generations, must the police, the country and citizens capitulate right before an overwhelming empowered, super-criminal force, their world of hungry bank directors and weeping bailiffs, unethical banks and comanies just to smash, corruption, marode, washout states, the highest rank of the dollar over all and everyone, machines, the computern (suneater´s suneating) and all the laser printer (oodles of bogus money), money laundering, Springer Press, child pornography, Orwell´s Big Brother, the New Beautiful World from Alan Huxley, (planned) non-bureaucracizement, foreigners and fugitives, takings of hostages, armament and nuclear power, plagues and epidemics as another kind of business and so on and on?
Did resp. does good and evil exchange their rolls?
... might have to do with the actual case see FBI / Comey...

The typical american way of life?
Sabotage, bribery, corruiption and arms trade up to serious hard attacks upon each kind of competitive

Game "Pizza Connection 3" for Linux
https://www.pro-linux.de/news/1/24784/pizza-connection-3-für-linux-angekündigt.html

Ex-commissioner Wolfgang Neiß
"There is no possibility to smash the organized crime"
, STERN.de, 24.11.2019
https://www.stern.de/p/crimeplus/interviews/-man-dachte--so-etwas-gibt-es-bei-uns-nicht--8811388.html

From News&Links#Computer_and_Smartphones State: 17. August 2018

NSA´s MORECOWBELL: Even the most basic internet architecture is compromised, awp.is, 24.01.2015
DNS has always been an open book and MORECOWBELL is the program the NSA has developed exclusively to read it. As the leaked slides show, the system allows the agency to monitor the availability of sites and web services, changes in content and a wide array of metadata, that can help it build complete profiles for targeted users. If necessary, it can even be used to find weak points for launching direct attacks. Given the widespread use of DNS in the public internet, the implications of this program are huge, as it affects users on a global level.
https://data.awp.is/international/2015/01/24/20.html

OKEnterprise Linux 6 and 7 (CentOS 6, 7 resp. Scientific Linux 6,7) package installer: rpm, MCC#Install and remove software, packagekit, urpmi, smart-gui, smart, fedpkg, fedora-packager, file-roller, ..., for Debian: dpkg, dselect, apt, aptitude, ...

OKFSB clocking rate
... can be adjusted in the BIOS Setup, scaled for ITX-220 (AMI-BIOS) in section "Free Jumper Configuration&quto; between 133 and 140 Mhz. Handbook: Adust the highest value and clock down, if error occur. We chose mouseclick-fast 138. To go very sure, choose 133 ( this is not too slow ).
Right now think of all the other settings in the BIOS-Setup by following the belonging handbook.

OKTransport encryption part 3, HTTPS with TLS 1.3 in practice, 06.11.18 | author / editorial staff: Filipe Pereira Martins und Anna Kobylinska / Peter Schmitz
TLS 1.3 promises more security for encrypted HTTPS-connections. Unfortunately the implementation is full of perfidies and suprises.
However wants to have a secure HTTPS-encryption, does the best to think once again about the TLS-configuration, as good intentions for data protection without modern transport encryption do not make any sense.
As the vulnerabilities for TLS-protocols up to version 1.2 got explored and known well (see the report "TLS 1.3 - much hot air or a big breakthrough?") it seems to be obvious, that snooping (eavesdropping on https-encrypted connections does happen much more often than one likes to accept. TLS 1.3 really helps.
All begins with the problem, that total resignment from TLS 1.2-fallback for clients with missing support for TLS 1.3 is no theme for the next time.
[...] A robust transport encryption has got its own shady sides: malware can get through without noticing.
During the use of TLS up to version 1.2 (especially by RSA-Ciphers) IT-experts are abled to examine malefic payloads of the data transfer right before passing through the company data center. The communication was read out by so-called middleboxes, it got deciphered, analyzed and forwarded. With TLS 1.3 this kind of monitoring belongs to the past, as each connection is build-up is by Diffie-Hellman-keys - no chance for the so called "deep-packet inspection", as the communication can not be deciphered in real-time as before.
https://www.security-insider.de/https-mit-tls-13-in-der-praxis-a-714096/

Mouseclick-fast: Secure surfing with TLS 1.3
Firefox-ESR >= 52.9 : >= Includes of lib64nss3 (mga7, pclos or nss (fc, ...) and libssl3.so.1.1.1d (well-patched openssl-1.1.1d (fc29) or libssl3.so.1.1.1a (certified openssl-1.1.1a, fc27) to /usr/lib64/firefox/libssl3.so (installation directory)
Overview firefox-ESR-52.9.0: https://software.opensuse.org/package/firefox-esr
OKhttps://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/ ( runs upon quit all glibc, requires for el6 resp. glib2 (el6) in contrast to OpenSuSE-Evergreen_11.4: mozilla-nss ( NSS_3.51, OpenSuSE Thumbleweed), mozilla-nspr (OpenSuSE Thumbleweed), nss-softokn (el6), nss-softokn-freebl (el6), eventually a re-linking is required: /lib64/libglib... and /lib64/libgthread with /usr/lib64/firefox/bundled/lib64/libg...5400... : ln -sf /usr/lib64/firefox/bundled/lib64/libg...5400.. /lib64/libg...-2.0.so.0 with /usr/lib64/firefox/bundled and /usr/lib64/firefox/gtk2 out of firefox (el6) like firefox-68.9.0 (el6)). After this, delete the old links out of /lib64: libglib (el6: 2800.8) and libgthread (el6: 2800.8): rm -df /lib64/libglib...2800.8... and rm -df /lib64/libgthread-...2800.8... ! Now this at this time actual firefox (OpenSuSE 15.1) can always get simple updated:

https://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.3.22.x86_64.rpm (from 07.08.2020)
https://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.3.21.x86_64.rpm (from 06.20.2020)
https://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.3.20.x86_64.rpm (from 06.12.2020)
https://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.3.19.x86_64.rpm (from 05.28.2020)
https://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.3.18.x86_64.rpm (from 04.28.2020)
https://download.opensuse.org/repositories/home:/anoncvs/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.9.1.x86_64.rpm (from 06.02.2020)
https://ftp1.nluug.nl/os/Linux/distr/opensuse/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.3.20.x86_64.rpm (from 06.12.2020)


alternativ (and it´s total confusing with SuSE quit as usual..:)
http://ftp1.nluug.nl/os/Linux/distr/opensuse/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/
Quellcode: https://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/src/firefox-esr-52.9.0-lp151.3.18.src.rpm
https://download.opensuse.org/repositories/home:/steffens:/lvermgeo:/firefox/openSUSE_42.2/x86_64/firefox-esr52-52.9.0-4.14.x86_64.rpm (from 08.03.2019)
https://download.opensuse.org/repositories/home:/anoncvs/openSUSE_Tumbleweed/x86_64/firefox-esr-52.9.0-3.20.x86_64.rpm (from 05.20.2020, for quit actual glibc only)
https://download.opensuse.org/repositories/home:/anoncvs/openSUSE_Tumbleweed/x86_64/
https://download.opensuse.org/repositories/home:/anoncvs/openSUSE_Leap_15.1/x86_64/
https://download.opensuse.org/repositories/home:/anoncvs/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.8.1.x86_64.rpm (from 07.09.2019: ( ... how can it be?), glibc >= 2.20)
OKhttp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/linux4humans:/sle11_software:/firefox/openSUSE_Evergreen_11.4/x86_64/MozillaFirefox-52.9.0-10.2.x86_64.rpm (from 05.15.2019, quit all glibc and up from glib2 (el6))
seamonkey (el6, Version 2.49 enthält aktuell gepatchten FirefoxESR-52.9)
https://rpm.pbone.net/index.php3/stat/4/idpl/54051369/dir/opensuse_leap_15/com/MozillaFirefox-52.9.0-lp150.5.1.x86_64.rpm.html
https://rpm.pbone.net/index.php3/stat/4/idpl/55298083/dir/opensuse/com/MozillaFirefox-52.9.0-4.5.x86_64.rpm.html
Firefox-ESR-52.8.1 (el6, fr2.rpmfind.net)
OK https://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/linux4humans:/sle11_software:/firefox/openSUSE_Evergreen_11.4/x86_64/MozillaFirefox-52.9.0-10.2.x86_64.rpm
tor (rosa2016.1, el6), Tor-Browser (Firefox-ESR >= 52.9: >= Includes of lib64nss3 (mga7, pclos or nss (fc, ...) and nss-3.41.0 (fc30) with libssl.so.3 to /home/toruser/tor*/Browser*/
Pale Moon >= 27.3.0: >=: Includes of lib64nss3 (mga7, pclos or nss (fc, ...) and libssl3.so.1.1.1d (openssl-1.1.1d (fc29)) resp. libssl3.so.1.1.1a (von openssl-1.1.1a, fc27) to /usr/lib64/palemoon/libssl3.so
Pale Moon, notice: noscript and RequestBlockPolicyContinned do not block many scripts as they should do!
/usr/lib64/libcrypto.so.1.1 is linked to /usr/lib64/libcrypto.so.1.1.1a and /usr/lib64/libssl.so.1.1 to /usr/lib64/libssl.so.1.1.1a.

Virusses, trojans, worms, bots: 40 percent of all computers in Germany are "zombies", FOCUS Online, 03.02.2014
The amount is alarming: 40 Prozent of all PCs in Germany are infected and can be remoted by Cyber-gangster. Once installed, malware opens backdoors for the new one.

All Intel-CPU-generations since Celeron
"We can skim out (eavesdrop) everything", tagesschau.de, 04.01.2017
Following a newspaper report the detection of actual lacks in security within plenty of computer chips was also made by researchers from the Technical University Graz in Austria. "We were shocked by ourselves about the functioningt", said Michael Schwarz from the TU Graz to quot;Tagesspiegel".
By this leaks all data could be read out of the computer is getting about. "In principle we can read out everything typed into the computer." Attackers could gain online banking data or stored passwords
"Though for this purpose they have to get logged into or connected with the computer", restricted Mr. Schwarz.
https://www.tagesschau.de/ausland/intel-sicherheitsluecke-103.html

From News&Links#MS-Windows

Windows 10 - Just a data-protection-accidentl
Politics about data catapult Windows 10: Surveillance authorities must act
, netzpolitik.org, 11.29.2018
https://netzpolitik.org/2018/politik-zur-datenschleuder-windows-10-aufsichtsbehoerden-muessen-handeln/


Technology
Encryption won´t stop your internet provider from spying on you
, theatlantic.com, 05.29.2017
Data patterns alone can be enough to give away what video you’re watching on YouTube.
Kaveh Waddell
https://www.theatlantic.com/technology/archive/2017/03/encryption-wont-stop-your-internet-provider-from-spying-on-you/521208/

OK Huawei P40 Pro: Google does not exist anymore, CHIP, 02.04.2020
[...] ... is a salient smartphone with plenty of improvements...
https://www.chip.de/test/Huawei-P40-Pro-im-Test_182596289.html

OKSmartphone HUAWEI Y360 (Y360-U61) with accessory and magnetized black leather case and charging device from expert, year 2015, for 79 Euro (I got it from a friend for free...)
[...]


From News&Links#Alternatives

Young talent comicer
How does "funny" go? In this school beginners learn, how to become a on stage comicer
, STERN.de, 29.02.2020
https://www.stern.de/p/plus/gesellschaft/wie-geht-lustig--in-dieser-schule-lernen-anfaenger--wie-man-buehnenkomiker-wird--9157550.html

From News&Links#Computer

OKComputer-glasses (blue light of the TFT), protection-gloves (keyboard, mouse, hardware: Corona and other infections), respirator mask (air out of the net-adapter, teamwork, Corona), radiation protecting suit (handy, net adapter, CD/DVD-recorder, ...) , ...

From News&Links#Part2

How would they have been dealt all the time, Volkswagen & Co. - without reformation of the old social help (of old SGB II) with the man´s from VW named Schröder ALG II / HartzIV?
Read more about Sozialhilfe of the old SGB II on News&Links#part2! Follwing the image of Clever and Smart, there must been have ordered the oppposite by USA/NY, the jealous ones as usual:

Siehe Abb. Clever und Smart oben, title/Titel: "The next number without any net! Die nächste Nummer ohne Netz!", NY 1983, ...

Notice. This image comes right up from the time, where (elephant?) Microsoft was founded...
Some like it hot...

"I have never been belied like that!"
The eavesdropping programs of the secret services
, netzpolitik.org, 29.01.2018
"Ich bin noch nie so belogen worden", sagte Hans-Christian Ströbele über seine Arbeit im NSA-BND-Untersuchungsausschuss. In einem Gespräch mit Constanze Kurz resümiert der grüne Politiker die Ergebnisse der parlamentarischen Untersuchung.
https://netzpolitik.org/2018/34c3-die-lauschprogramme-der-geheimdienste/

Expert about privacy: "I ask myself, why people are still going this through", STERN.de, 09.06.2019
Marc Al-Hames knows all tricks of the advertisement industry. In an interview with stern he explained, why sudden confessions for data protetctions of some affiliated groups can not be taken serious and about the main difference between Apple and Google concerning data protection.
[...] "Google collects data not only by the help of services like Gmail, Youtube or the Play Store, but also out of the net.

From this excurs

The hell with advertisement? Advertisement (into the bargain of the costs of the taxpayer)? No, thanks!
Where even 81/82-USA has to keep the hands off !:

Stiftung Warentest, TÜV Rheinland, Öko-Test, GS - Geprüfte Sicherheit (well checked, tested security), DLG, ISO-certified company, ISO, DIN, AUSTest (lifetime-durability), reports from tagesschau, STERN, Spiegel, ..., OpenSource / LSB-compliance (Linux/UNIX), patent rights:

From News&Links#BuenoAppetito

German´s Yes to Glyphosat, tagesschau.de, 28.11.2017
Suprising, reasonable, superfluousl

Monsanto right before law
Vandana Shiva for example talks about 300.000 indish farmers, that made suicide because of Monsanto
Farmers, beekeeper and health experts from North- and Southafrica, Asia and Africa report about the healthy and economical harms, that were caused by the company Monsanto, it´s products and business practises l
Quasi right before law too: The German Bayer AG combine
, Tagesschau.de, 15.10.2016


Awful malformations
Through Glyphosat: 22 Mops-whelps have died painfully
, FOCUS Online, 12.10.2016
http://www.focus.de/regional/leipzig/schreckliche-missbildungen-22-mops-welpen-in-leipzig-durch-glyphosat-getoetet_id_6061761.html

From News&Links#Part2

Historical literature out of the castle library MG-Rheydt, old book title:

"Catastrophe-room Niederrhein in Germany: Wars - witches - famines..."


Prosecution by law against VW-manager
Did they cause harm of about 78 billion Euro?
, tagesschau.de, 16.04.2019


niue-muenzen
"Bei jeder Schweinerei ist die Deutsche Bank dabei."
, Tagesschau.de, Juli 2014

https://www.tagesschau.de/investigativ/ndr-wdr/vw-schadenshoehe-101.html

From News&Links#bank_scandal

"Each swinishness the Deutsche Bank."
, Tagesschau.de, Juli 2014

Deutsche Bank is prosecuted by law in around 1200 processes, Tagesschau, 22.05.2014
The bank scandal of the Deutschen Bank and other banks, click here

From News&Links#BuenoAppetito

Yogurt form Germany, wine from Italy: Putin burns tons of food, FOCUS Online, 06.08.2015
Already the apple from the west were poisoned. [...]

Defence russia´s against harmful influences of food from the west
Self-invoked forces enfoce an embargo
The cosac in the supermarket
, Tagesschau.de, 22.08.2015


OKElection of TOR-relais: inclusion/exclusion/election...

From News&Links#NSA&Co.

Five Eyes & Co.
"They want to known everything about everyone - without exception"
, tagesschau.de
Nur einige wenige sind davon ausgenommen: Eingeschrieben in den Quelltext, der NDR und WDR vorliegt, ist die Differenzierung zwischen den Partnerländern der USA, den sogenannten "Five Eyes", Neuseeland, Australien, Großbritannien sowie Kanada, und den ander

"Zwei Jahre nach seiner Wahl sei Weltuntergang", so bekanntlich allein die Zeugen Jehovas 70er Jahre.

From this excurs

Your data got securely anonymized,  … didn´t they?, CHIP, 04.03.2020
"Please don´t go on - your data were anonymized successfully - there is nothilng to see here." We here this again and again, while we are on the way online: Do not care about all kind of comanies do trace each of your step in the net. All registrated information about you get anonymized, each personal related data removed. Even if those data are offered for sale for advertisement and used for the further development of products, it does not deal with you. No care, do not think about it, just click here.
Just follow the money on the way to your data.
There are many reasons to believe in anonymization as a effective protection of your privacy  - but in most cases it has to do with money. We live in the &surveyining economy financial interest about registration, tracing and usage of your data is high. This begins with Google tracking users online, Facebook Likes that are observing, Amazon tracing its customers each selling phase and the fact, that there do exist enumerous data transfers and sellers. Even security companies do profit from data capturing business. As from an actual report from New York Times there were found out hundreds of trackers tracing a journalist during his visit of 47 websites each day. Independent from the size of the company all try to make him clear, that the registrated data would get safely anonymized.
"Customers know, that companies do sell their data and do not like it anyway. All "anonymized" data can be combined and evalutated for the identifications of persons. We won´t do that and distinguish ourselfs from our competitors", says Travis Witteveen.
But how easy is it to identify one person out of the so-called anonymized data?
More than four data points are enough and you get identified
Actual research results show, that indeed only some data points are needed to set the so-called anonymization an end. Researchers just need 15 data points all stored in anonymizing data basis. If you possess a smartphone, , even less data points than 15 are enough for it. Researchrs from MIT and the Université Catholique de Louvain in Belgium found out, that just four room-time-data-points (your location area to a vaguely time point) are essential for the identification of around 95 persents of humans.
https://www.chip.de/artikel/Ihre-Daten-wurden-sicher-anonymisiert-oder_182175803.html
Alternativ: bereits mit der Browser-Kennung (Browser-UA)..., mehr dazu im Folgenden!

Another study proves the lie about "anonymized" data, netzpolitik.org, 26.07.2019
Anonyme Daten sind oft gar nicht wirklich anonym, in vielen Datensätzen können Einzelne auch ohne Namen eindeutig identifiziert werden. Mit welcher erstaunlicher Präzision das geht, verdeutlicht eine neue Studie. Viele Firmen und Datenbanken unterlaufen die Datenschutzgrundverordnung.
https://netzpolitik.org/2019/weitere-studie-belegt-luege-anonymer-daten/

New study: 99,98 percent are identifyable: Why our data in the net aren´t anonymous, STERN.de, 15.03.2020
https://www.stern.de/digital/online/anonymisierung--warum-unserer-anonymen-daten-gar-nicht-so-anonym-sind-8822370.html

From News&Links

Gooken in Berlin-Kreuzberg the 80th: "They need a coffee..."

News&Links: Tor, The Anonymizing Network - Äh, ... Looking out for Good Tor Nodes now (entry-, middle- and exit-nodes / relais)..., text 2019 by Gooken

From News&Links#NSA&Co.

It´s just ridiculous
The small company got totally IT-secured - but only ingrattitude results from it ( in the background compounds like CIA, downturn of company profit ) !
NSA, CIA & Co.
Another kind of thinking
"The man with the good ol´ cash is always Mr. Right" ("Living in a material world" from song: Material Girl by Madonna, 80er Jahre)
Job and carreer for net-, system- and database-administrators
Why the comopany might already belong other ones
Beginning with system-administrator "root" (root-rights over all): Owner- and acess-rights, (always password-free!) chroot (chroot, mount), ssh, remote login, exploit codes, exploits, driver: With all the authority, insights into and knowledge about the company doing the job for the most weightful company & Co.:


From News&Links#Computer

As well known, for all there does exist just one and the same superuser named root...

OKConquest of the company flag "root"
Management issue: Net and system administration


6 Tips to protect against thievish IT-admins, PC-WELT, 10.12.2017
Hin und wieder begehen Mitarbeiter Datendiebstahl im eigenen Unternehmen. So schützen Sie sich.
https://www.pcwelt.de/ratgeber/Ratgeber-Datensicherheit-6-Tipps-zum-Schutz-vor-diebischen-IT-Admins-1340729.html

Weak point human: About the horrible tricks and methods of social engineering, trojaner-info.de, 06.03.2018
https://www.trojaner-info.de/business-security/schutz-vor-social-engineering/articles/die-methoden-des-social-engineering.html

Cybercriminals in the act!, trojaner-info.de, 23.10.2019
Wenn man an Cyberkriminalität denkt, denkt man oft an Hackerangriffe, die von außen stattfinden. Doch die Gefahr durch Datenlecks aus dem Inneren einer Organisation ist mindestens genauso groß. Laut aktuellem Insider Threat Index sollen in Europa Insider-Bedrohungen zwar leicht gesunken sein, aber immer noch sind 38 Prozent der Sicherheitsvorfälle auf die direkte Bedrohung durch böswillige oder unachtsame Mitarbeiter zurückzuführen.
https://www.trojaner-info.de/business-security/aktuell/cyberkriminelle-auf-frische-tat-ertappen.html

Read, how horrible the common thread is!, PC WELT, 01.10.2017
https://www.pcwelt.de/ratgeber/Das_grosse_Kompendium_zur_Netzwerksicherheit-Netzwerke-7811930.html

Social Engineering - attacks from the insight because of weak point human, PC-WELT.de, 01.10.2017
https://www.pcwelt.de/ratgeber/Netzwerke-Social_Engineering_-_Angriffe_von_Innen_und_menschliche_Schwaechen-7812014.html

"Weak Point Human"
Kaspersky it-sa 2019

https://www.trojaner-info.de/business-security/aktuell/kaspersky-auf-der-it-sa-2019.html

Viruses, trojans, worms, bots: More than 40 percent of all Computer in Germany are "zombies", FOCUS Online, 02.03.2014
The amount is alarming: 40 Prozent aller PCs in Deutschland sind infiziert und können von Cyber-Gangstern ferngesteuert werden. Einmal freigesetzt, öffnet Malware oft die Hintertür für neue Schädlinge. Wie Sie sich schützen können. Die Zahl infizierter Computer ist in Deutschland im vergangenen Jahr wieder auf 40 Prozent gestiegen. Das stellte das Anti-Botnet-Beratungszentrum des Internetverbandes Eco fest. 2014 habe man mehr als 220.000 Computer gescannt, auf denen zu etwa 80 Prozent ein veralteter Browser installiert war. Diese ermöglichen häufig die Übernahme durch Trojaner und Viren. Ein erster Schädling öffne häufig die Tür für weitere Infektionen, erklärt der Verband. "Zombie-Rechner" können ferngesteuert werden. Infizierte sogenannte "Zombie-Rechner" können von Cyberkriminellen ferngesteuert werden. "Ihre Systeme agieren als Teil eines Netzwerkes, das Kriminelle für Verbrechen wie den Spam-Versand oder Denial-of-Service-Angriffe nutzen, die erhebliche finanzielle Schäden anrichten", erklärt Markus Schaffrin, Sicherheitsexperte im Eco. Das Ergebnis sei alarmierend, sagt Eco. Für nachhaltige Sicherheit, sei eine korrekt eingestellte Firewall und ein Antivirenprogramm notwendig, heißt es vom Verband. Wie Sie den besten Virenscanner finden, erklärt FOCUS Online hier (wir, Gooken, empfehlen den auf allen verbreiteten Betriebssystemen installierbaren und somit unter umfassender Begutachtung stehenden Opensource-Scanner Clamav).

Around 40 percent of german companies are befalled from cyberattacks, trojaner-info.de, 03.19.2020
In den vergangenen zwölf Monaten haben laut einer Studie 41 Prozent der deutschen Unternehmen mit mehr als zehn Beschäftigten auf mindestens einen Cyberangriff reagieren müssen. In dieser Berechnung seien automatisiert abgewehrte Angriffe wie zum Beispiel von einer Firewall gestoppte Spam-E-Mails nicht enthalten, betonte das Kriminologische Forschungsinstitut Niedersachsen zur Vorlage der Untersuchung am Montag.
https://www.trojaner-info.de/business-security/aktuell/etwa-40-prozent-deutscher-unternehmen-erleben-cyberangriffe.html

As executed programs (processes), think of text processing and terminal, do already exist in the RAM...

niue-muenzenAll Intel- and many AMD-CPU-generations since Celeron
"We can read out everything", tagesschau.de, 04.01.2017
An der Aufdeckung der jüngst bekannt gewordenen Schwachstellen in zahlreichen Computerchips waren einem Zeitungsbericht zufolge auch Forscher der Technischen Universität Graz in Österreich beteiligt. "Wir waren selbst schockiert, dass das funktioniert", sagte Michael Schwarz von der TU Graz dem "Tagesspiegel".
Durch die Schwachstelle könnten alle Daten ausgelesen werden, die gerade im Computer verbreitet werden. "Wir können im Prinzip alles mitlesen, was sie gerade eintippen." Angreifer könnten so auch an Daten vom Onlinebanking oder gespeicherte Passwörter kommen. "Dazu müssen sie allerdings erst auf ihren Computer gelangen", schränkte Schwarz ein. Wer die normalen Sicherheitshinweise befolge und keine unbekannten Anhänge öffne oder auf dubiose Links klicke, für den bestehe keine unmittelbare Gefahr.
https://www.tagesschau.de/ausland/intel-sicherheitsluecke-103.html

Aight new lacks in security in Intel-CPUs
Intel names new lacks in security Spectre 3a and 4
, linuxnews.de, 22.05.2018
Die Anfang des Monats entdeckten acht neuen Sicherheitslücken in Intel-CPUs, die unter dem Sammelbegriff Spectre-NG eingeführt wurden, wurden von Intel damals bestätigt. Jetz wurden für zwei der Lücken Updates angekündigt.
https://linuxnews.de/2018/05/intel-nennt-neue-luecken-spectre-3a-und-4/

PortSmash: New lacks in security within Intel, linuxnews.de, 03.11.2018
Forscher haben mit PortSmash eine neue Lücke in CPUs von Intel entdeckt, die deren Hyper-Threading-Technologie (HT) ausnutzt.
https://linuxnews.de/2018/11/portsmash-erneut-sicherheitsluecke-bei-intel/

Reputedly security lacks in actual AMD-CPUs discovered, linux.news.de, 22.03.2018
Vor wenigen Tagen machte eine Meldung die Runde, die sehr an Meltdown und Spectre erinnerte. Die bis dahin unbekannte israelische Sicherheitsfirma CTS-Labs Research berichtete über 13 angebliche Lücken in AMDs aktuellen Desktop- und Server-Prozessoren.
https://linuxnews.de/2018/03/amd-sicherheitsluecken-in-ryzen-und-epyc-bestaetigt/

Detailed, precise check: spectre-meltdown-checker (el6) resp. meltdown-spectre-checker (el6)
niue-muenzenSolution: The solution is dependent from the security-concept (excurs). Microcode, kernel-version, device drivers and CPU themself might only help partially, that means not help at all and if they help, they only mitigate problems with Meltdown and Spectre:

microcode_ctl ( enfastening (rosa2016.1, el6: microcode_ctl-1.17-33.33.el6_10.x86_64.rpm, fc29: ver. 2.1-33, ), we might recommend the mouseclick-fast microcode_ctl (rosa2016.1) past (upon) microcode (el6) by rpm -i --force) or ucode_intel (OpenSuSE) and an actualized kernel 4.19 or >= 4.21 (kernel 5) (we installed kernel: 4.20.13-pclos)
Start microcode_ctl (z.B. in /etc/rc.local):

echo 1 > /sys/devices/system/cpu/microcode/reload
sh /usr/libexec/microcode_ctl/reload_microcode
... or by an used processor exploring udev-rule.

Firewall Linfw3 against Meltdown and Spectre: Set group "nobody" for the group of surfuser (with primary group nobody) and only allow surfuser with one more group of surfuser named surfgroup for example (instead of nobody) to go online. Linfw3 is able to block even root (UID: root, 0, GID: root, 0). So noone is allowed to go online through Linfw3 else surfuser with group surfgroup (instead of his primary group "nobody"), what prevents device drivers from exchaning data - as in this case caused by Meltdown and Spectre To go paranoid, to make it even more confusing for kernel and CPU, set all directories and files owned by surfuser to it´s primary group "nobody".

More and more companies do eavesdrop us, digitalcourage.de, 09.09.2018


OKTests in year 2016: Around 5500 connection buildups per day of MS Windows 10 into the internet
Contacts to internet servers within just few hours
Windows-data protection upon the BSI-level - howto
, PC-WELT.de, 04.17.2019
We report about this theme and the methods against it in future!

OKThis anti-hacker-tool protects your PC, PC-WELT.de, 04.20.2020, report from Arne Arnold, Tobias Hager, Benjamin Schischka & David Wolski
A public WLAN or a weak access point in your system are sufficient for hacker. With these gratis-tools you will shoot the bolt for intruders.
[...] Beware!: Deft enthält mehrere Tools, die Sicherheitsvorkehrungen umgehen und Netzwerkverkehr abhören können. Wie bereits in der Einleitung zu diesem Beitrag gesagt: Beachten Sie deshalb, dass der Einsatz von Deft in fremden Netzwerken und auf fremden Computersystemen in Deutschland nicht legal ist. Diese Tools dürfen ohne explizite Erlaubnis nur in eigenen Netzwerken und auf dem eigenen PC eingesetzt werden.
https://www.pcwelt.de/ratgeber/Download-Galerie-Kostenlose-Anti-Hacker-Tools-schuetzen-Ihren-PC-3907300.html

OKInsider
Three new, but hidden security-functions for Windows
, PC-WELT.de, 03.20.2020
Microsoft has build additiional security functions into Windows 10, quit noone does know. Read, howto activate the additional protection.
Highlight: sandbox for the browser
https://www.pcwelt.de/ratgeber/Drei-neue-versteckte-Schutz-Funktionen-fuer-Windows-10766096.html

OKRAM capacity killer and eavesdropping spies
This programs do secretly run on your Windows-PC
, PC-WELT.de, 03.21.2019
Speicherfresser und Spione - auch auf Ihrem PC laufen versteckte Programme. Mit unseren Tipps schmeißen Sie getarnte Schädlinge und Ballast über Bord.
Versteckte Prozesse finden: Wer glaubt, die Taskbar zeigt alle aktuell laufenden Programme an, der irrt sich gewaltig. Im Hintergrund laufen wesentlich mehr Anwendungen, als Windows Ihnen per Taskbar-Icon preisgeben will.
https://www.pcwelt.de/ratgeber/Ratgeber-Windows-Diese-Programme-laufen-heimlich-auf-Ihrem-PC-464074.html

Especially the IT-branch is unpopular
Without perspective: Teens do not know, what job to take
, Focus, 11.27.2014


OKCPU, RAM, malware & Co.: howto solve PC-problems
Quit all microprocessors are affected
Intel vs. AMD: Lacks in hardware-security 2020 - 2:1 for…
, PC-Magazin, 03.14.2020
Quot all Intel-Chips of the past five and all AMD-Chips of the past nine years do have lacks in hardware-security. We do collect actual news…
https://www.pc-magazin.de/news/intel-amd-cpu-sicherheitsluecken-2020-csme-l1-cache-3201339.html

Companies collect more data than they can manage
Jason Hart, Vice President und CTO für Data Protection bei Gemalto
, trojaner-info.de, 07.13.2018
https://www.trojaner-info.de/business-security/aktuell/data-security-confidence-index-von-gemalto-zeigt-unternehmen-sammeln-mehr-daten-als-sie-verarbeiten-koennen.html

US-government forces companies for more data transfer, Tagesschau, 02.14.2015
Obama beim Gipfeltreffen zur Datensicherheit beim Kampf gegen Cyberkriminalität: Ein "Gipfel", bei dem einige fehlten, Tagesschau, 14.02.2015


Are data the new oil?, trojaner-info.de, 11.13.2019
Der steigende Wert der Daten führt dazu, dass sie als das "neue Öl" gehandelt werden. Jedes Unternehmen generiert einen Fundus an Daten, doch nur die wenigsten Unternehmen können behaupten, dass sie auf einer "großen Ölquelle" sitzen.
https://www.trojaner-info.de/business-security/aktuell/sind-daten-das-neue-oel.html

MS Windows, Android etc. - Consistent fight between malware-prgorammer and antivirus manufacturers
Eight tips against malware - howo to weapon oneself preventively and effective against hacker and cybercriminals
How user do weapon against trojaner and malware
, trojaner-info.de, 08.04.2019
https://www.trojaner-info.de/daten-sichern-verschluesseln/schutz-vor-malware/articles/tipps-gegen-malware-und-trojaner-so-wappnet-man-sich-praeventiv-gegen-cyberkriminelle.html

One, two, three, four state trojans, netzpolitik.org, 03.21.2019
[...] ZITiS ist nicht die einzige deutsche Hacker-Behörde. Das Bundeskriminalamt kann aktuell drei Staatstrojaner einsetzen, ein vierter wird zur Zeit programmiert.
Fortsetzung des Berichts: in Kürze, nach dem Listing von trojaner-board.de!

Pwn2Own: Hacker rivalry per remote control, PC-WELT.de, 03.19.2020
This year the hacker rivalry Pwn2Own findet does take place without the physical presence of hackern. The first day all participants succeded
https://www.pcwelt.de/news/Pwn2Own-Hackerwettstreit-per-Fernbedienung-10774383.html

OKHospitality-industry in the visor of a BadUSB Social Engineering-attack, trojaner-info.de, 04.03.2020
Der aktuelle Sicherheitsvorfall mit einem USB-Stick gestattet einen Blick darauf zuwerfen, wie Unternehmen zu leichtsinnigen Opfern werden könnten. Eine der ältesten Formen des modernen Social Engineerings ist der "Abwurf des mit Malware beladenen USB-Sticks auf dem Firmen-Parkplatz".
https://www.trojaner-info.de/business-security/aktuell/hospitality-gewerbe-im-visier-eines-badusb-social-engineering-angriffs.html

OKIT-security: The BKA prevents from closing lacks in security, netzpolitik.org, 11.12.2018
Das Bundeskriminalamt will verhindern, dass Hard- und Software-Hersteller von Sicherheitslücken ihrer Produkte erfahren und diese schließen. Mit dieser Begründung verweigert die Polizeibehörde Einblick in Dokumente über Staatstrojaner. Politiker kritisieren, dass der Staat damit die IT-Sicherheit schwächt.
https://netzpolitik.org/2018/it-sicherheit-das-bka-verhindert-dass-sicherheitsluecken-geschlossen-werden/

Big Brother Award 2018
Questionable award: The data-negativ-price for Microsoft and Amazon
, CHIP/DPA, 04.22.2018
We report about this in future!

OKPartial "solution to resp. help for" the matter "chief issue - administration" (at least possible for UNIX/Linux-systems): isolation of the (even in future) general-authorized "company-owner" and superuser Root with belonging strong restricted group rights, setting the login-shell to "/sbin/nologin" (not only for root), while an access to root is still possible by MCC resp. the system-control-center or from the outside like through rescue-systems. Then the installation and update of software-packets is not possible anymore), forbidding to chroot (chroot), full system encryption, the disclosure (super-/top-secrecy) of the root-password, PAM-noroot-login (belonging rules), the creation of accounts for some net-programs like psad and psad for psad, user surfuser with group surfgroup for firefox, tor and ftp-clients and so on and the sub-administrator-accounts with department-wise owner-, access-righs and views, firewall Linfw3 through its possiblity to block user and groups including even root (user-ID (uid) 0 and group-ID (gid) 0 ), followed by the creation of the other single group- and user-accounts, deinstallation of sudo, performing each method introduced here in this excurs like anonymizing user-agent-browser-specification, SUID-sandbox firejail for browser etc, localizing DNS query through the protective mask /etc/hosts, local dns cache pdnsd and anonymizing tor-resolve (TOR-DNS, TOR), TOR with VPN, ...
PAM: /etc/pam.d/*, eine Erklärung der dort in den Konfigurationsdateien eingebundenen einzelnen pam-Bibliotheken (pam*_.so) und zugehöriger Optionen erfolgt mit man, z.B. "man pam_unix" für pam_unix.so.
PAM: /etc/pam.d/*, look out in man for the integrated modules (pam*_.so) and their belonging options, for example "man pam_unix" for pam_unix.so.
There (in /etc/pam.d), companies should configure the PAM-Login the way MCC (Mandriva Control Center) resp. the graphical system-configuration can not be started by root anymore! Now it is not possible to change unser-passwwords, user- and group-accounts and their belonging login-shell (root: /sbin/nologin) within the user administration anymore. This also prevents from any changings in /etc/passwd.
To make this undone again, for user- and system-actualizations, system-configurations, packet-installations and -updates for example, use a rescue system from USB-memory stick or other external media.
More about PAM: https://www.golinuxhub.com/2018/08/how-to-lock-or-unlock-root-normal-user-pamtally2-pamfaillock-linux.html, ...
... and soon in the following!

Munichs ex-OB: Ballmer jumped angrily through his buro because of the change to Linux, PC-WELT.de, 11.12.2019
https://www.pcwelt.de/news/Muenchens-Ex-OB-Ballmer-sprang-durchs-Buero-wegen-Wechsel-zu-Linux-10700234.html

From News&Links#MSWindows

Microsoft-founderer
Bill Gates explains, which two factors make Corona so dangerously - and howto master the crisis
, STERN.de, 02.29.2020
Bill Gates ist der reichste Mensch der Welt. Er nutzt sein Vermögen, um das weltweite Gesundheitssystem zu verbessern. Das Coronavirus könne die Welt jedoch an ihre Grenzen bringen - doch er hat auch Lösungsvorschläge, der Krise Herr zu werden.
https://www.stern.de/gesundheit/coronavirus--bill-gates-erklaert--warum-es-so-gefaehrlich-ist-9164688.html

Bill Gates profits from the Coronavirus
Rumours and fakes
Coronavirus-conspiracies
, tagesschau.de, 01.28.2020
Die vielen offenen Fragen im Fall des Coronavirus sind der ideale Nährboden für Verschwörungstheorien. So wird behauptet, Bill Gates würde von dem Ausbruch profitieren.
[...] So veranlassen im Internet auffindbare Patente auf Coronaviren Autoren diverser Posts und Artikel zu der Mutmaßung, das nun ausgebrochene Virus sei in Laboren entwickelt und ausgesetzt worden, um Impfungen zu vermarkten. Tatsächlich existieren Patente auf bestimmte Gensequenzen der Coronaviren. Allerdings sind die Corona eine große Familie von Viren - keines der Patente bezieht sich auf die neue in China aufgetretene Variante 2019-nCoV.
[...] Die Gates-Verschwörung?
Andere dubiose Theorien rücken den Unternehmer und Milliardär Bill Gates sowie seine Stiftung in ihren Mittelpunkt. So wird die Tatsache, dass eines der Coronavirus-Patente vom englischen Pirbright-Institut gehalten und dieses von der Bill-und-Melinda-Gates-Stiftung unterstützt wird, als Verschwörung der Impfindustrie dargestellt. Gates würde von dem Coronavirus-Ausbruch profitieren, wird da behauptet. "Impfungen sind einer der Hauptgründe für Zufälle", schrieb etwa ein YouTuber und Anhänger der verschwörungstheoretischen QAnon-Bewegung auf Twitter.
[...] Einen weiteren Hinweis auf eine mögliche Labor-Herkunft des Virus sehen andere in der Tatsache, dass in Wuhan das Nationale chinesische Labor für Biosicherheit angesiedelt ist. So zitiert die amerikanische Seite "Washington Times" einen ehemaligen israelischen Geheimdienstler, der vermutet, dass das Virus dieser Einrichtung entkommen sein könnte. In Deutschland griff etwa das Online-Portal "Epoch Times" den Bericht auf.
Richtig ist, dass in der Stadt Anfang 2015 tatsächlich das Wuhan Virologie-Institut eingeweiht wurde - das bislang einzige offizielle chinesische Labor der biologischen Schutzstufe 4. Nur diese Hochsicherheitseinrichtungen dürfen mit Biostoffen der höchsten Risikogruppe arbeiten, die laut der Biostoffverordnung "eine schwere Krankheit beim Menschen hervorrufen und eine ernste Gefahr für Beschäftigte darstellen". Hierzu zählen beispielsweise Erreger von Ebola, Pocken oder SARS. Im Wissenschaftsmagazin "Nature" äußerten bereits 2017 Experten Bedenken über mögliche Sicherheitslücken des Instituts.
Bill Gates steht im Mittelpunkt einer Verschwörungstheorie zum Coronavirus.
Wie die Factchecking-Seite Politifact schreibt, werden dabei Zusammenhänge aus dem Kontext gerissen. Zwar stimme es, dass das Institut ein Coronavirus-Patent besitzt und die Bill-und-Melinda-Gates-Stiftung in der Vergangenheit das Institut finanziell unterstützte. Doch würden diese Tatsachen alleine noch nicht beweisen, dass Gates und seine Stiftung von dem Virusausbruch profitieren.

https://www.tagesschau.de/faktenfinder/fakes-geruechte-coronavirus-101.html

Coronavirus: Intel resigns from MWC-participation too, PC-WELT.de, 02.11.2020
Immer mehr Unternehmen wollen wegen dem Coronavirus-Ausbruch nicht am Mobile World Congress in Barcelona teilnehmen.
https://www.pcwelt.de/news/Coronavirus-Intel-sagt-MWC-Teilnahme-ebenfalls-ab-10752079.html

Bill Gates aims to invest billions into nuclear energy, PC-WELT.de, 01.28.2019
Bill Gates will Milliarden US-Dollar investieren, um den US-Kongress von sauberer Kernkraft zu überzeugen.
https://www.pcwelt.de/a/bill-gates-will-milliarden-in-kernkraft-investieren,3463817
This website tracks the divulgation of the Coronavirus: https://www.pcwelt.de/news/Corona-Virus-Diese-Website-trackt-Verbreitung-des-Virus-10744095.html

OKThe MS-Windows-command-line: Useful commands for beginners and professionals, PC-WELT.de, 21.03.2020
Who can manage the command line, is even more able to solve many tasks more effective, in order to solve problems faster. Howto get more knowledge about it.
https://www.pcwelt.de/ratgeber/Die-Kommandozeile-Hilfreiche-Befehle-fuer-Anfaenger-und-Profis-10765224.html

Do we all get poisoned?

Alread the apple were get poisoned
Joghurt from Germany, Wein from Italia: Putin cumbusts tons of food
, FOCUS Online, 06.08.2015
Trotz des Minsker Abkommens kommt es immer wieder zu Kämpfen in der Ukraine. Eine Lösung des Konflikts scheint weit entfernt. Die Nato versucht, Stärke zu zeigen. Die Entwicklungen im News-Ticker von FOCUS Online.

Russia´s defense against awkward influences of nutrition out of the west
Self-named interference-forces realizes the embargo
The Kosak in the supermarket
, tagesschau.de, 08.22.2015
Die Kosaken, einst stolze und streitbare Krieger, fühlen sich heute als Bewahrer nationaler Werte und wollen Russland gegen missliche Einflüsse von Außen verteidigen. Zum Beispiel Lebensmittel aus dem Westen, die trotz des Einfuhrverbots den Weg nach Russland finden. Von Stefan Stuchlik.

Warnings on record level
Callback of food and nutrition - always increasing
, tagesschau.de, 08.12.2019
Ob Keime, Bakterien, Pilze oder gar "Fremdkörper" - die Meldungen über verunreinigte Lebensmittel haben ein neues Rekordniveau erreicht. Das geht aus einer Statistik des Bundesamtes für Verbraucherschutz und Lebensmittelsicherheit hervor.
https://www.tagesschau.de/inland/lebensmittel-127.html

Chemical fire-magicr
"Dr. Tod" - the poison mixer of ...

Chemical and Biological Programme. Struik Publishers...
Report from News&Links#part6#BuenoAppetito

Do we all get glassen?
Der Gläserne Mensch
, UNI.DE
Der gläserne Mensch ist ein oft genannter Begriff im Bereich des Datenschutzes. Sind wir bald alle gläsern?
https://uni.de/redaktion/glaeserner-mensch

Pegada - initiative "Against the becoming of idiocy of the christian Western World"

pegada
#OTHERS#TOO
Massenbewegung aus ( weitgehend ) unabhänigem russischen Sektor
Pegada - Initiative "Gegen die Idiotisierung des christlichen Abendlandes"

Report: News&Links#part3#Ausland

US-government resigns from the destruction of Microsoft
6. Sept. 2001 überraschende Wendung im Monopol-Verfahren gegen Microsoft: Die US- Regierung hat sich heute gegen eine Zerschlagung des ...
https://www.heise.de/newsticker/meldung/US-Re...32.html Zerschlagung&tbo=1

US-government got nervous for reputed destruction of company Google, tagesschau.de, November 2014
[...] Das EU-Parlament plane die Zerschlagung von Google, war dazu in verschiedenen Medien zu lesen. Die Schlagzeile verfehlte ihre Wirkung nicht: Sogar die US-Regierung zeigt sich nervös. "Wir haben den Resolutionsentwurf des Europaparlaments mit Besorgnis zur Kenntnis genommen", erklärte die US-Vertretung bei der Europäischen Union. Zuvor hatten laut einem Bericht der "Financial Times" führende US-Politiker vor einer zu starken Einmischung der EU in "offene Märkte" und vor negativen Konsequenzen für die Handelsbeziehungen zwischen EU und USA gewarnt.
Fortsetzung des Berichts: weiter unten

Each third person does not want Windows 10 even for free, (indirekter Ubuntu-Empfehler) PC-WELT.de, 01.08.2016
Haben Sie das Windows-10-Upgrade gemacht? Oder verweigerten Sie es? So haben sich unsere Leser entschieden!
https://www.pcwelt.de/news/Machen-Sie-das-Gratis-Upgrade-auf-Windows-10-10007169.html

Beguilers can rarely get prosecuted
Hundert millions of donations trickled away
, tagesschau.de, 09.07.2019
Nach Recherchen von Report Mainz werden jedes Jahr Hunderte Millionen Euro an Spendengeldern nicht ordnungsgemäß verwendet. Die Rechtslage macht es Betrügern dabei leicht.
https://www.tagesschau.de/investigativ/report-mainz/spendenbetrug-101.html

"The internet has going to go!"
Schlecky Silberstein surfs in our filter-bubble

Christian Brandes aka Schlecky Silberstein would like to abolish the media, that keeps him fed. In "The internet has going to go" the blogger describes, how we do get brainwashed by algorithms, trolls and tech-companies. But isn´t he part of them? A recession.
https://netzpolitik.org/2018/schlecky-silberstein-surft-in-unserer-filterbubble/

Do we soon suffocate in all the rubbiish?

"Jute instead of plastic!", Slogan einer gewissen linksextremen autonomen Gruppe noch vor Zeiten der Grünen Anfang der 80er Jahre, hingegen noch bis heute nur bei einigen wenigen Händlern vor lauter Plastiktüten über Plastiktü,ten im Verkauf bekannt, kann uns das jemand bei dem Plastikmüll und der Plastikmaterie im Umlauf mal jemand erklären?
Denn allein das nicht nur in weißer Farbe erhältliche Jute hält, was es verspricht: Mit den etliche Kilogramm (ca. 8 bis 10 kg) tragfähigen und reißfesten Jute-Tüten macht man jedenfalls nur die allerbesten Erfahrungen! Und waschen kann man sie auch.
Text © 2009 by Gooken.

Do the rats reign the world?

"I have never been belied like that!"
#34c3: The eavesdropping programs of the secret services
, netzpolitik.org, 01.29.2018
"Ich bin noch nie so belogen worden", sagte Hans-Christian Ströbele über seine Arbeit im NSA-BND-Untersuchungsausschuss. In einem Gespräch mit Constanze Kurz resümiert der grüne Politiker die Ergebnisse der parlamentarischen Untersuchung.
https://netzpolitik.org/2018/34c3-die-lauschprogramme-der-geheimdienste/

Supreme-Court: Judges named by Trump himself
Presentation of taxes-declarements
Trump moves to the Supreme Court
, tagesschau.de, 11.15.2019
Trump hat im Streit um die von einem Richter angeordnete Offenlegung seiner Finanzen den Supreme Court angerufen, um dies zu unterbinden. Nun entscheiden Richter, die von Trump selbst ernannt wurden.
https://www.tagesschau.de/ausland/trump-steuererklaerung-supreme-court-101.html

500 ex-public prosecutors: "Only the president-elect protects Trump against criminal prosecution"
The report from US-special-prosecutor Mueller got partially darkened.
Open letter from ex-public-prosecutors
, tagesschau.de, 05.07.2019
Schützt nur das Präsidentenamt Trump vor einer Strafverfolgung? Das behaupten mehr als 500 Ex-Staatsanwälte in einem offenen Brief. Damit widersprechen sie US-Justizminister Barrs Auslegung des Mueller-Berichts.
https://www.tagesschau.de/ausland/usa-trump-147.html

Anhörung im US-Kongress
Judgement-professors inform the press, that the impeachment against Trump is right
, SPIEGEL ONLINE, 12.04.2019
Die Demokraten treiben ihre Vorbereitungen für ein Amtsenthebungsverfahren gegen Donald Trump voran. Renommierte Rechtsexperten geben ihnen nun recht - mit einer Ausnahme.
https://www.spiegel.de/politik/ausland/donald-trump-rechtsprofessoren-halten-impeachment-verfahren-fuer-gerechtfertigt-a-1299728.html

Donations (spends) got sunk: Why Klaas Heufer-Umlauf fails in his projects against the distress at sea, STERN.de, 09.25.2019
Im Juli 2018 sammelte Klaas Heufer-Umlauf fast 300.000 Euro Spenden für eine private Rettungsaktion im Mittelmeer. Doch das Projekt scheiterte und macht deutlich, mit welchen Problemen die Seenotrettung zu kämpfen hat.
Ein Jahr später ist die Bilanz ernüchternd. Die geplante Mission ist nie gestartet, ein Teil des Geldes scheint verloren zu sein, wie die österreichische Rechercheplattform "addendum" berichtet. Zwar habe die Organisation "Civilfleet", die Klaas zur Umsetzung des Vorhabens gegründet hatte, ein Schiff gechartert und dieses auch ausgerüstet. Doch ...
https://www.stern.de/neon/wilde-welt/gesellschaft/klaas-heufer-umlauf--darum-scheiterte-sein-projekt-zur-seenotrettung-8920848.html

"The internet must get forbidden!"
Schlecky Silberstein surfs in our filter-bubble

Christian Brandes aka Schlecky Silberstein würde gern das Medium abschaffen, das ihn ernährt. In "Das Internet muss weg" beschreibt der Blogger, wie wir von Algorithmen, Trollen und Tech-Firmen gebrainwasht werden. Aber ist er nicht selbst ein Teil davon? Eine Rezension.
https://netzpolitik.org/2018/schlecky-silberstein-surft-in-unserer-filterbubble/

From News&Links#bank_scandal



Deutsche Bank gets involved in around 1200 processes by law, tagesschau.de, 05.22.2014
Der Bankenskandal u.a. der Deutschen Bank, hier klicken

Euro-flowers: Increasing amount of counterfeit money in Germany, SPIEGEL ONLINE, 07.26.2019
Die Bundesbank hat in der ersten Jahreshälfte mehr Falschgeld aus dem Verkehr gezogen. Das lag auch am Wettlauf zwischen Fälschern und Behörden. mehr...
https://www.spiegel.de/wirtschaft/soziales/mehr-falschgeld-in-deutschland-weniger-euro-blueten-in-europa-a-1279162.html

Geldwäschebekämpfung Fight against money laundering
Duty: Suspicion-messages got damned
, tagesschau.de, 09.07.2019
Nach massiver Kritik ist die Geldwäsche-Bekämpfung des Zolls verstärkt worden. Doch es half wenig: Die Zahl der nicht abgeschlossenen Verdachtsmeldungen erreichte ein Rekordhoch.
https://www.tagesschau.de/investigativ/ndr/geldwaesche-verdachtsmeldungen-101.html

From News&Links#MS_Windows

US-government resigns from the smashing of Microsoft inc.
6. Sept. 2001 überraschende Wendung im Monopol-Verfahren gegen Microsoft: Die US- Regierung hat sich heute gegen eine Zerschlagung des ...
https://www.heise.de/newsticker/meldung/US-Re...32.html Zerschlagung&tbo=1

Each third person does not even want to get Windows 10 for free, (indirekter Ubuntu-Empfehler) PC-WELT.de, 08.01.2016
Haben Sie das Windows-10-Upgrade gemacht? Oder verweigerten Sie es? So haben sich unsere Leser entschieden!
https://www.pcwelt.de/news/Machen-Sie-das-Gratis-Upgrade-auf-Windows-10-10007169.html

US-Regierung got nervous because of the alleged smashing of Google inc., tagesschau.de, November 2014
[...] Das EU-Parlament plane die Zerschlagung von Google, war dazu in verschiedenen Medien zu lesen. Die Schlagzeile verfehlte ihre Wirkung nicht: Sogar die US-Regierung zeigt sich nervös. "Wir haben den Resolutionsentwurf des Europaparlaments mit Besorgnis zur Kenntnis genommen", erklärte die US-Vertretung bei der Europäischen Union. Zuvor hatten laut einem Bericht der "Financial Times" führende US-Politiker vor einer zu starken Einmischung der EU in "offene Märkte" und vor negativen Konsequenzen für die Handelsbeziehungen zwischen EU und USA gewarnt.
Fortsetzung des Berichts: weiter unten

From News&Links#Alternatives

Huawei-Handy with Hongmeng OS is released already this year!, PC-WELT.de, 08.05.2019
Es gibt neue Gerüchte zu Huaweis Android-Alternative Hongmeng OS. Sie basiere auch nicht auf Android, sondern Fuchsia OS.
https://www.pcwelt.de/news/Huawei-Handy-mit-Hongmeng-OS-noch-in-diesem-Jahr-10641247.html

From News&Links#MS_Windows



Each third one does not even want Windows 10 for free, (indirekter Ubuntu-Empfehler) PC-WELT.de, 08.01.2016
Haben Sie das Windows-10-Upgrade gemacht? Oder verweigerten Sie es? So haben sich unsere Leser entschieden!
https://www.pcwelt.de/news/Machen-Sie-das-Gratis-Upgrade-auf-Windows-10-10007169.html

US-government resigns from the smashing of Microsoft
6. Sept. 2001 überraschende Wendung im Monopol-Verfahren gegen Microsoft: Die US- Regierung hat sich heute gegen eine Zerschlagung des ...
https://www.heise.de/newsticker/meldung/US-Re...32.html Zerschlagung&tbo=1

EU-commissionar threatens with the smashing of Microsoft, winfuture.de
Linux fördert also auch die weitere Entwicklung von Windows. shiversc: Er kann Linux mit Sicherheit gut bedienen. Somit schließt er nicht von sich…
https://winfuture.de/news-kommentare,31357.html

Does Microsoft expect its smashing?, Golem.de
Drohne Open Source Linux Foto Android Galaxy S8Droht Microsoft die ZerschlagungVC5 Neuer Linux-Grafiktreiber für Broadcom-SoC in Arbeit
https://www.golem.de/9804/494.html

Do you want the smashing of Microsoft?, PC-WELT
"Linux Hacker´s Guide" und "Hacker´s Guide" sind jedem Computerfreak ein Begriff. Der Verfasser dieser beiden Bestseller… https://www.pcwelt.de/ratgeber/Bist-du-fuer-die-Zerschlagung-von-Microsoft-54581.html

2000: Gates übergibt im Januar die Microsoft-Führung an Ballmer und schafft für sich den Posten eines Chef-Software-Architekten. Im April entscheidet ein Gericht, Microsoft missbrauche eine Monopol-Position. Eine Zerschlagung Microsofts steht im Raum.

From hardened data protection up to the smashing - an another handling with data capitalism is possible
Plattform-Regulierung
Den Datenfischern die Netze kappen: Ideen gegen die Marktmacht der Plattformen
, netzpolitik.org, 04.09.2018
Während die Datenkonzerne Google und Facebook weiter auf dem Weg zu digitaler Dominanz sind, nimmt die politische Diskussion um die Begrenzung ihrer Macht an Fahrt auf. Wir haben an dieser Stelle wichtige Ideen zur Regulierung der Plattformmonopole zusammengetragen. Vom härteren Datenschutz bis zur Zerschlagung - ein anderer Umgang mit dem Datenkapitalismus ist möglich.

There is one answer: Smashing
Ant this is, what we exactly have to do with Google.


Hardend data protection, smashing of US-companies
Pollard the nets of data fishers: Ideas against the market power of platforms
, netzpolitik.org, 04.09.2018
Während die Datenkonzerne Google und Facebook weiter auf dem Weg zu digitaler Dominanz sind, nimmt die politische Diskussion um die Begrenzung ihrer Macht an Fahrt auf. Wir haben an dieser Stelle wichtige Ideen zur Regulierung der Plattformmonopole zusammengetragen. Vom härteren Datenschutz bis zur Zerschlagung - ein anderer Umgang mit dem Datenkapitalismus ist möglich.
https://netzpolitik.org/2018/den-datenfischern-die-netze-kappen-ideen-gegen-die-marktmacht-der-plattformen/

Voting in the EU-Parlament: Does Google expect its smashing?, tagesschau.de, 27.11.2014
Heute stimmt das EU-Parlament über einen Antrag zur Marktmacht von Suchmaschinen ab. Für den Internet-Giganten Google könnte das weitreichende Folgen haben: Die Rede ist von einer Aufspaltung des Konzerns.Wer bei Google das Wort "Karten" eingibt, bekommt als ersten Treffer Google Maps angezeigt - den Kartendienst, den Google selbst betreibt. Erst danach werden andere Dienste von Michelin oder Falk aufgelistet. Und wer Nachrichten-Artikel lesen oder online shoppen will, findet gleich unter dem Google-Suchfeld Links zu den Google-eigenen Portalen. Irgendwie praktisch, denn es muss ja schnell gehen. Aber auch sehr unfair, beklagen die anderen Anbieter: Google missbrauche seine Marktmacht, indem es seine eigenen Produkte im Ranking bevorzuge, sagen sie.

Facebook fdp Smashing of Facebook is imaginable
31. März 2018 Die FDP unterstützt kartellrechtliche Überlegungen der Grünen, für große Internetkonzerne wie Facebook notfalls auch eine Zerschlagung in ...
https://www.wallstreet-online.de/nachricht/10413761-facebook-fdp-Zerschlagung-facebook-vorstellen

The chief of "Die Gruenen" Robert Habeck postulates the smashing of Facebook
31. März 2018 Als Konsequenz aus dem millionenfachen Datenmissbrauch bei Facebook verlangen die Grünen eine Zerschlagung des US-Internetkonzerns.
https://www.welt.de/politik/deutschland/artic...beck-fordert-.htmlZerschlagung

Smashing of Amazon, Google and Facebook is postulated, golem.de
Elizabeth Warren: Zerschlagung von Amazon, Google und Facebook gefordert. Eine der einflussreichsten Politikerinnen der USA will Amazon, Google und…
https://www.golem.de/news/elizabeth-warren-zerschlagung-von-amazon-google-und-facebook-gefordert-1903-139893.html

Smashing of Facebook: Zuckerberg answers Hughes, PC-WELT.de, 13.05.2019
Zuckerberg habe unkontrollierte Macht. Es sei Zeit, Facebook zu zerschlagen. Zuckerberg antwortet auf die Vorwürfe.
https://www.pcwelt.de/news/Facebook-Mitbegruender-fordert-Zerschlagung-von-Facebook-10589651.html

Power of the social network
Co-founder aims to smash Facebook
, tagesschau.de, 11.05.2019
Innerhalb von zwei Monaten geht ein weiterer Facebook-Insider an die Öffentlichkeit und fordert die Zerschlagung des Konzerns. Diesmal ist es der Mitgründer, der vor Marktmacht und Einflussnahme des Giganten warnt.
https://www.tagesschau.de/wirtschaft/facebook-zerschlagung-101.html Mehr zu diesem Thema:
F8 Konferenz: Facebook reloaded, https://www.tagesschau.de/ausland/facebook-entwickler-konferenz-101.html
McNamee rechnet mit Facebook ab, 11.03.2019, https://www.tagesschau.de/ausland/facebook-kritik-mcnamee-101.html

"Last chance for smashing", netzpolitik.org, 28.04.2018
Das Bundeskartellamt sah Facebooks Datensammelei aus Drittquellen zuletzt als missbräuchlich an, während Google gegen eine von der EU-Komission wegen Missbrauch der Marktmacht verhängte Strafe in Milliardenhöhe klagt. Nach Ende der Verfahren, so Knoerig, "kommen wir über die Bundesregierung womöglich zu dem Ergebnis, dass wir Kommissionen bilden, und dann können wir, wenn es denn nötig sein wird, entflechten".
Reinhard Houben (FDP) sprach sich dafür aus, die Verfahren abzuwarten und bezeichnete die Möglichkeit der Zerschlagung als "letzten Schritt". Die digitale Wirtschaft brauche "Freiraum, damit sie sich entfalten kann."
https://netzpolitik.org/2018/bundestag-ueberlegt-digitale-plattformen-zur-oeffnung-zu-verpflichten/

Facebook: FDP can imagine the smashing of Facebook
31. März 2018 Die FDP unterstützt kartellrechtliche Überlegungen der Grünen, für große Internetkonzerne wie Facebook notfalls auch eine Zerschlagung in ...
https://www.wallstreet-online.de/nachricht/10413761-facebook-fdp-zerschlagung-facebook-vorstellen

Facebook: The chief of "Die Grünen" Robert Habeck postulates smashing of Facebook
31. März 2018 Als Konsequenz aus dem millionenfachen Datenmissbrauch bei Facebook verlangen die Grünen eine Zerschlagung des US-Internetkonzerns.
https://www.welt.de/politik/deutschland/artic...beck-fordert-Zerschlagung.html

Data protector from Hamburger postulates the smashing of Facebook
5. Apr. 2018 Der Hamburger Datenschutzbeauftragte Johannes Caspar unterstützt politische überlegungen zu einer möglichen Zerschlagung des ..
. https://www.abendblatt.de/article213932855/Hamburger-Datenschuetzer-fuer-Facebook-Zerschlagung.html

US-government resigns from the smashing of Microsoft
6. Sept. 2001 überraschende Wendung im Monopol-Verfahren gegen Microsoft: Die US- Regierung hat sich heute gegen eine Zerschlagung des ...
https://www.heise.de/newsticker/meldung/US-Re...32.html Zerschlagung&tbo=1

US-scientists postulates the smashing of Google, Facebook and Co.
[Eingetragen am 2018-05-14] ... 23. März 2018 US-Marketingprofessor Scott Galloway hat vor einer übermacht der vier Tech- Giganten Google, Amazon, Facebook und Apple gewarnt und ... https://www.derstandard.de/story/200007671614...ung-von-google-facebook-und-co

Tim Wu: Warum Facebook zerschlagen werden sollte, netzpolitik.org, 11.07.2019
Ein ehemaliger Obama-Berater fordert die Wiederbelebung eines amerikanischen Anti-Kartell-Geistes. Facebook würde durch seine Größe angreifbar, Standard Oil und AT&T wären Beispiele für gelungene Entflechtungen. Er beschuldigt Mark Zuckerberg, Instagram illegal übernommen zu haben.
https://netzpolitik.org/2019/tim-wu-warum-facebook-zerschlagen-werden-sollte/

Huawei-handy with Hongmeng OS is released this very year, PC-WELT.de, 05.08.2019
Es gibt neue Gerüchte zu Huaweis Android-Alternative Hongmeng OS. Sie basiere auch nicht auf Android, sondern Fuchsia OS.
https://www.pcwelt.de/news/Huawei-Handy-mit-Hongmeng-OS-noch-in-diesem-Jahr-10641247.html

US-government got nervous because of alleged smashing of Google, tagesschau.de, November 2014
[...] Das EU-Parlament plane die Zerschlagung von Google, war dazu in verschiedenen Medien zu lesen. Die Schlagzeile verfehlte ihre Wirkung nicht: Sogar die US-Regierung zeigt sich nervös. "Wir haben den Resolutionsentwurf des Europaparlaments mit Besorgnis zur Kenntnis genommen", erklärte die US-Vertretung bei der Europäischen Union. Zuvor hatten laut einem Bericht der "Financial Times" führende US-Politiker vor einer zu starken Einmischung der EU in "offene Märkte" und vor negativen Konsequenzen für die Handelsbeziehungen zwischen EU und USA gewarnt.
Fortsetzung des Berichts: weiter unten

Critics against capitalism and internet: How much evil is Amazon?, SPIEGEL ONLINE, 05.08.2014
Der Buch-Versender Amazon will sich dem Markt unterwerfen. Widerspenstigen Verlagen und Autoren drohen Handelsboykotte. Wie konnte es passieren, dass der Handelsriese als eine Greenpeace im Internet gilt? Eine Kolumne von Jan Fleischhauer mehr... [ Forum ]

From the online booking store up to the billion weighted concern
25 Jahre Amazon: Destroyer of the retail trade and darling of the wall street
, STERN.de, 05.07.2019
Die Geschichte des größten Online-Händlers begann vor 25 Jahren in einer Garage in Seattle. Heute ist Amazon einer der wertvollsten Konzerne der Börse und Gründer Jeff Bezos der reichste Mensch der Welt. Doch das Unternehmen hat viele Kritiker.
https://www.stern.de/digital/online/25-jahre-amazon--vom-online-buchladen-zum-billionen-konzern-8785610.html

Company-smashing of Amazon, Google and Facebook is postulated, golem.de
Elizabeth Warren: Zerschlagung von Amazon, Google und Facebook gefordert. Eine der einflussreichsten Politikerinnen der USA will Amazon, Google und…
https://www.golem.de/news/elizabeth-warren-zerschlagung-von-amazon-google-und-facebook-gefordert-1903-139893.html

User as laboratory rats
Wie Mark Zuckerberg den US-Kongress in die Irre führte
, netzpolitik.org, 17.04.2018
Der Facebook-Chef warf bei der Anhörung vorige Woche geschickt Nebelgranaten. Heikle Fragen zur Verwendung von Nutzerdaten blieben unbeantwortet. Der Datenschutzbeauftragte der EU wirft dem Internetkonzern indes vor, seine User in "Laborratten" zu verwandeln. Die Antwort der europäischen Politik auf den Skandal kommt aber nur langsam ins Rollen.
https://netzpolitik.org/2018/wie-mark-zuckerberg-den-us-kongress-in-die-irre-fuehrte/

Edge Computing: Microsoft-Chef enthuses about the next computer revolution - striking us all, STERN.de, 10.10.2019
Bei den Präsentationen von Microsoft-Chef Satya Nadella geht es längst nicht mehr um Windows.
Die Zukunft des Computers ist die "Intelligent Edge", da ist sich Microsoft-Chef Satya Nadella sicher. Auf einer Konferenz in Washington erklärte er Regierungsmitarbeitern, was dahinter steckt - und warum Politik und Militär Microsoft-Technik kaufen sollten.
Schon seit mehreren Jahren spielt Microsofts einstiges Kern-Geschäft Windows in den Reden des Microsoft-Chefs Satya Nadella kaum noch eine Rolle. Sein Herzensthema ist längst der Cloud-Dienst Azure, wie er gerade auf einer Rede in Washington erneut bekräftigte. Er will ihn zum "Welt-Computer" ausbauen. Die Technologie dahinter nennt sich "Intelligent Edge" - und sie hat tatsächlich das Potenzial, die Technik-Welt zu verändern.
Denn die Zukunft gehört nicht den Geräten in unserer Tasche sondern ihrem Zusammenspiel mit der intelligenten Cloud, so Nadella. Lange Zeit mussten unsere Rechner ihre Berechnungen entweder selbst erledigen, oder sie waren auf die Leistung der Cloud angewiesen. Die Intelligent Edge bricht diesen Gegensatz auf - und öffnet so unzählige neue Möglichkeiten.
Ständiges Zusammenspiel
Aus Cloud und Gerät wird ein Zusammenspiel. Die smarten Geräte - Edge genannt - arbeiten im Alltag vor sich hin und sammeln dabei Daten. Die werden dann an die Cloud geschickt und dort von künstlicher Intelligenz weiterverarbeitet. Die dabei entstandenen Verbesserungen der KI werden dann wieder auf die Edge übertragen, die dadurch noch smarter vor Ort agieren kann. So verbessert sich das System ständig selbst.
[...] Die Geräte selbst treten dabei in den Hintergrund. Während Microsoft früher auf allen Windows laufen lassen wollte, spielt das Betriebssystem heute kaum noch eine Rolle. Wie sehr das zutrifft, zeigte der Konzern letzte Woche, als er sein erstes Smartphone mit Android präsentierte.
Der Höhepunkt kommt erst noch
[...] Das Militär als Kunde
Nadella präsentierte seine Vision natürlich nicht zufällig in Washington. Er bewarb dort auf dem Microsoft Government Leaders Summit die Dienste seines Konzerns für Politik und Militär. "Wir wollen Partner der Regierungen werden. Nicht, um sie von unserer Technologie abhängig zu machen. Sondern um aus ihnen unabhängige Nutze

Emulators: virtualbox (MS Windows and other OS), qtemu, qemu (MS Windows, virtual emulators of many operating systems), mingw (the MSWindows-dll) and wine (MS Windows), dosemu-freedos (rosa2014.1, MSDOS, PC-DOS), basiliskII, basilisk (Macintosh), puae and uae (Amiga), hatari (ATARI ST), vice and micro64 (VC64), dosbox, dos2unix (text format converter), yabause (saturn emulator), xroar (dragon 32, 64, Tandy coco emulator), fbzx (Spectrum), caprice (Amstrad CPC), zboy (Nintendo Gameboy), ...


MS Windows Software like MS Office on Linux: https://www.codeweavers.com/store

DNS-Server: dnsmasq, bind, knot, ...

Virtual machines: kvm (Kernel Virtual Machine virtualization environment), (the popular) XEN with xen-hypervisor, lib64xen3 (pclos, mga), VirtualBox (el6), virt (el6, libvirt (el6)), qemu (el6), hyperv / hyperv-daemon (el6), kde-cdemu-manager, cdemu ...

Emulators: virtualbox (MS Windows and other OS), qtemu, qemu (MS Windows, virtual emulators of many operating systems), mingw (the MSWindows-dll) and wine (MS Windows), dosemu-freedos (rosa2014.1, MSDOS, PC-DOS), basiliskII, basilisk (Macintosh), puae and uae (Amiga), hatari (ATARI ST), vice and micro64 (VC64), dosbox, dos2unix (text format converter), yabause (saturn emulator), xroar (dragon 32, 64, Tandy coco emulator), fbzx (Spectrum), caprice (Amstrad CPC), zboy (Nintendo Gameboy), ...

Howto use Windows within Linux through Virtualbox, PC-WELT.de, 08.05.2019
Per virtualization it is possible to use software and apps for Windows for Linux too. We show, howto.
https://www.pcwelt.de/ratgeber/Windows-als-virtuellen-PC-in-Linux-weiternutzen-9790033.html
Virtualbox (el6, all Linux): VirtualBox-5.2-5.2.28_130011_el6-1.x86_64.rpm 12-Apr-2019 20:25 78M, VirtualBox-6.0-6.0.6_130049_el6-1.x86_64.rpm 16-Apr-2019 15:58 118M ( or VirtualBox-5.2-5.2.28_130011_Linux_x86.run ) from https://download.virtualbox.org/virtualbox/5.2.28 resp. https://download.virtualbox.org/virtualbox/6.0.6
and Virtualbox: UserManual.pdf, https://download.virtualbox.org/virtualbox/6.0.6/Oracle_VM_VirtualBox_Extension_Pack-6.0.6-130049.vbox-extpack, https://download.virtualbox.org/virtualbox/6.0.6/VBoxGuestAdditions_6.0.6.iso
Actual version from March 2020: https://download.virtualbox.org/virtualbox/6.0.18/

... r und Ersteller von Technologien zu machen, die mit uns zusammenarbeiten."
Bereits letztes Jahr hatte sich Microsoft klar dazu bekannt, trotz Protesten der eigenen Mitarbeiter das US-Militär weiter mit seinen Technologien ausrüsten zu wollen. So bewarb sich der Konzern - genauso wie Amazon - um einen Großauftrag, der die Software des US-Militärs komplett überholen und auf Cloud-Basis bringen soll. Welcher Konzern den Auftrag erhält, ist noch offen. Im Sommer schloss Microsoft einen weiteren Milliarden-Deal ab, um die Büros des Pentagon mit seinen Office-Programmen auszustatten.
[...] Kritiker sehen die Kombination aus Edge-Computing und Militär als durchaus gefährlich an. So könnten Drohnen in Zukunft auf Basis ihrer KI-Algorithmen selbst die Entscheidung zum Angriff treffen. Google hatte sich wegen solcher Befürchtungen in seiner Belegschaft entschieden, die Zielerkennung von Drohnen nicht weiter zu unterstützen.
Nadella scheint diese Gefahr durchaus bewusst zu sein. In seiner Rede sprach er auch von der Verantwortung, die KI mit sich bringt. "Wir glauben an verantwortliche KI. Man muss auch die schweren Fragen stellen, nicht nur was ein Computer tun kann - sondern auch, was er tun sollte." Die Antwort nannte er nicht.
https://www.stern.de/digital/computer/microsoft-chef-erklaert--warum-windows-und-co--kuenftig-kaum-eine-rolle-spielen-8945156.html

Relaxed into the cloud under Linux, PC-WELT.de, 12.10.2019
Komfort versus Datenschutz: Manche Cloudfunktion ist unverzichtbar.
https://www.pcwelt.de/ratgeber/Software-fuer-die-Zusammenarbeit-im-Web-9903500.html

Server farm
"Europa-Cloud": German government cares about german data in foreign countries
, 23.07.2019
Weil immer mehr Daten in ausländischen Clouds lagern, sorgen sich Innen- und Wirtschaftsministerium um die Datensouveränität. Zumindest aus Bürgersicht löst eine "Europa-Cloud" aber keine Probleme. https://netzpolitik.org/2019/europa-cloud-bundesregierung-sorgt-sich-um-deutsche-daten-im-ausland/

Bill Gates aims to invest into nuclear power, PC-WELT.de, 28.01.2019
Bill Gates will Milliarden US-Dollar investieren, um den US-Kongress von sauberer Kernkraft zu überzeugen.
https://www.pcwelt.de/a/bill-gates-will-milliarden-in-kernkraft-investieren,3463817

OKBastille: Full-automatic IT-security for UNIX / Linux per mouseclick?, fr2.rpmfind.net
"Bastille is a system hardening / lockdown program which enhances the security of a Unix host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and r-tools, like rcp and rlogin, and helps create "chroot jails", that help limit the vulnerability of common Internet services like Web services and DNS. This tool currently hardens Red Hat Enterprise Linux, Legacy, and Fedora Core, as well as Debian, SUSE, Gentoo, Mandriva, Ubuntu, Mac OS X, and HP-UX. If run in the preferred Interactive mode, it can teach you a good deal about Security while personalizing your system security state. If run in the quicker Automated mode, it can quickly tighten your machine, but not nearly as effectively (since user/sysadmin education is an important step!) Bastille can also assess the state of a system, which may serve as an aid to security administrators, auditors and system administrators, who wish to investigate the state of their system´s hardening without making changes to such. To run: -bastille [(-b|-c|-r|-x|--assess|--assessnobrowser)] -b : use a saved config file to apply changes directly to system -c : use the Curses (non-X11) GUI -r : revert Bastille changes to original file versions (pre-Bastille) -x : use the Perl/Tk (X11) GUI --assess : use the assessment functionality, viewing results in a browser --assessnobrowser: use the assessment functionality without a browser."
https://fr2.rpmfind.net/linux/rpm2html/search.php?query=Bastille&submit=Search+...

From this excurs

OKForbidden good?


Firefox (64 Bit) 74.0 Final
Free download now from CHIP: the brand actual final version of Firefox 74.0.
CHIP test result: Very good
https://www.chip.de/news/Browser-im-Maerz-2020-Firefox-stuerzt-ab_169898532.html

Firefox-ESR-52.9.0-Extensions: quit complete filtering of tracking-scripts by ABP, RequestPolicy, noscript and our ff-ESR-security-settings through user.js (from Kai Raven.de and other authors resp. see further below)

OKhttps://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/firefox-esr-52.9.0-lp151.3.18.x86_64.rpm (from 04.28.2020), requires (for el6): mozilla-nss (OpenSuSE Thumbleweed, libfreebl3 (OpenSuSE Thumbleweed), libsoftokn3 (OpenSuSE Thumbleweed)
OKRespective the top-actual version of FirefoxESR-52.9.0 out of the directory: https://download.opensuse.org/repositories/home:/dliw:/mozilla/openSUSE_Leap_15.1/x86_64/
https://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/linux4humans:/sle11_software:/firefox/openSUSE_Evergreen_11.4/x86_64/MozillaFirefox-52.9.0-10.2.x86_64.rpm (from 02.15.2019)
OKseamonkey (el6, this version 2.49 includes the actual patched firefox-52.9)
https://rpm.pbone.net/index.php3/stat/4/idpl/54051369/dir/opensuse_leap_15/com/MozillaFirefox-52.9.0-lp150.5.1.x86_64.rpm.html
https://rpm.pbone.net/index.php3/stat/4/idpl/55298083/dir/opensuse/com/MozillaFirefox-52.9.0-4.5.x86_64.rpm.html
FirefoxESR-52.8.1 (el6, fr2.rpmfind.net)

Attention! The installation-order of some of the following Firefox-extensions is a not unimportant point: ABP (by the (*-wildcard-based) security-filter-rule "forbidden is, what is not (explicit) allowed", details in future from further below) and/or uBlock resp. ABL for Pale Moon) right before RequestPolicy before Noscript (or uMatrix) before PrivacyBadger before CanvasBlocker!

Notice: Privacy Badger from the switzer civil rights organization EFF as the in our order last installed extension does not - except facebook-widgets - block any tracking-scripts anymore, even if single marked scripts turned from green (allow) to red (block): Listed previous installed script-blockers did already make this job for him.

Electronic Frontier Foundation ( ff-extension Privacy Badger and other ones.) against mass surveillance and eavedropping trough NSA & Co.
USA: Erneut Klage gegen Massenüberwachung durch NSA abgewiesen
, netzpolitik.org, 11.05.2019
Seit Jahren kämpft die Electronic Frontier Foundation vor Gerichten gegen die Massenüberwachung durch den US-Geheimdienst NSA. Nun hat ein Bundesrichter eine Klage aus dem Jahr 2008 abgewiesen: Um die nationale Sicherheit zu schützen, müsse ein mögliches Überwachungsprogramm geheim bleiben.
https://netzpolitik.org/2019/usa-erneut-klage-gegen-massenueberwachung-durch-nsa-abgewiesen/

"I have never been belied like that!"
#34c3: The eavesdropping programs of the secret agencies
, netzpolitik.org, 29.01.2018
"Ich bin noch nie so belogen worden", sagte Hans-Christian Ströbele über seine Arbeit im NSA-BND-Untersuchungsausschuss. In einem Gespräch mit Constanze Kurz resümiert der grüne Politiker die Ergebnisse der parlamentarischen Untersuchung.
Our report from News&Links#NSA&Co.
https://netzpolitik.org/2018/34c3-die-lauschprogramme-der-geheimdienste/

OKuMatrix (uM, https://github.com/gorhill/uMatrix/releases/download/1.4.1b6/uMatrix_1.4.1b6.firefox.signed.xpi) or seamonkey-noscript (5.1.9 for ff52-ESR from February 2020, includes the xpi-install-file) or
mozilla-noscript (5.1.8.6, 5.1.8.5, 5.1.7-1, fc, el7, el6, fr2.rpmfind.net or mozilla.org or http://ftp.pbone.net/mirror/archive.fedoraproject.org/fedora/linux/updates/25/armhfp/Packages/m/mozilla-noscript-5.1.7-1.fc25.noarch.rpm), https://rpm.pbone.net/index.php3/stat/4/idpl/54125427/dir/rawhide/com/mozilla-noscript-2.6.8.36-1.171.noarch.rpm.html, vom 16.11.2018 (patched 171 times, therefore the recommended version)
OKmozilla-adblockplus (-2.9.1-27 fc, el7, el6 or mozilla.org), https://fr2.rpmfind.net/linux/fedora-secondary/releases/29/Everything/i386/os/Packages/m/mozilla-adblockplus-2.9.1-4.fc29.noarch.rpm, https://fr2.rpmfind.net/linux/epel/6/x86_64/Packages/m/mozilla-adblockplus-2.6.6-1.el6.noarch.rpm
OKmozilla-requestpolicy (-1.0-0.22.20171019git633302 fc27 from 02.08.2020 / 08.02.2020, el6, rpmfind.net or mozilla.org, you still have to copy it from /usr/share/mozilla/extensions/ to /home/surfuser/.mozilla/extensions/), https://fr2.rpmfind.net/linux/fedora/linux/releases/29/Everything/x86_64/os/Packages/m/mozilla-requestpolicy-1.0-0.22.20171019git633302.fc29.noarch.rpm, https://fr2.rpmfind.net/linux/epel/6/x86_64/Packages/m/mozilla-requestpolicy-1.0-0.19.20171019git633302.el6.noarch.rpm
mozilla-https-everywhere (fc, el6 or mozilla.org), https://fr2.rpmfind.net/linux/fedora/linux/updates/29/Everything/x86_64/Packages/m/mozilla-https-everywhere-2019.11.7-1.fc29.noarch.rpm, https://fr2.rpmfind.net/linux/epel/6/x86_64/Packages/m/mozilla-https-everywhere-2019.11.7-1.el6.noarch.rpm
firefox-ublock_origin (alt1, pkgs.org, mozilla.org)
OKCanvasBlocker (mozilla.org, against Canvas Fingerprinting)
OKCookieController (mozilla.org, part of Jondofox)
Private Tab (mozilla.org)
OKRefControl (mozilla.org, Referer Control)
OKUserAgentSwitcher (mozilla.org)
OKLink Redirect Fixer (mozilla.org)
Link_Cleaner (mozilla.org)
OKsecretagent (anonymizing useragents; extension from palemoon.org)
OKCSS Exfil Protection by Mike Gualtieri ( xpi from mozilla.org, https://addons.cdn.mozilla.net/user-media/addons/931864/css_exfil_protection-1.0.17-an+fx.xpi )
TrackMeNot (xpi), Firefox extension to protect web habits from tracking and profiling, protect against data profiling by search engines, "TrackMeNot is a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. It does so not by means of concealment or encryption (i.e. covering one´s tracks), but instead by the opposite strategy: noise and obfuscation. With TrackMeNot actual web searches, lost in a cloud of false leads, are essentially hidden in plain view. User-installed TrackMeNot works with Firefox and Chrome browsers, integrates with all popular search engines and requires no 3rd-party servers or services. TrackMeNot runs as a low-priority background process, that periodically issues randomized search-queries to popular search engines, e.g., AOL, Yahoo!, Google, and Bing. It hides users´ actual search trails in a cloud of ´ghost´ queries, significantly increasing the difficulty of aggregating such data into accurate or identifying user profiles. TrackMeNot serves as a means of amplifying users´ discontent with advertising networks, that not only disregard privacy, but also facilitate the bulk surveillance agendas of corporate and government agencies, as documented recently in disclosures by Edward Snowden and others. To better simulate user behavior TrackMeNot uses a dynamic query mechanism to ´evolve´ each client (uniquely) over time, parsing the results of its searches for ´logical´ future query terms with which to replace those already used.
Public awareness of the vulnerability of searches to systematic surveillance and logging by search engine companies was initially raised in the wake of a case, initiated August 2005, in which the United States Department of Justice (DOJ) issued a subpoena to Google for one week´s worth of search query records (absent identifying information) and a random list of one million URLs from its Web index. This was cited as part of its defense of the constitutionality of the Child Online Protection Act (COPA). When Google refused, the DOJ filed a motion in a Federal District Court to force compliance. Google argued that the request imposed a burden, would compromise trade secrets, undermine customers´ trust in Google, and have a chilling effect on search activities. In March 2006, the Court granted a reduced version of the first motion, ordering Google to provide a random listing of 50,000 URLs, but denied the second motion, namely, the request for search queries.
While viewed from the perspective of user privacy this seems a good outcome, yet it does bring to light several disquieting points. First, from court documents we learn that AOL, Yahoo!, and Microsoft have complied with the government´s request, though details are not given. Second, we must face the reality that logs of our online searches are in the hands of search companies and can be quite easily linked to our identities. Thirdly, it is clear we have little idea of, or say in, what can be done with these logs. While, in this instance, Google withheld such records from the Government, it would be foolish to count on this outcome in the future. Public awareness of the vulnerability of searches to systematic surveillance and logging by search engine companies, was initially raised in the wake of a case, initiated August 2005, in which the United States Department of Justice (DOJ) issued a subpoena to Google for one week´s worth of search query records (absent identifying information) and a random list of one million URLs from its Web index. This was cited as part of its defense of the constitutionality of the Child Online Protection Act (COPA). When Google refused, the DOJ filed a motion in a Federal District Court to force compliance. Google argued that the request imposed a burden, would compromise trade secrets, undermine customers´ trust in Google, and have a chilling effect on search activities. In March 2006, the Court granted a reduced version of the first motion, ordering Google to provide a random listing of 50,000 URLs, but denied the second motion, namely, the request for search queries.
While viewed from the perspective of user privacy this seems a good outcome, yet it does bring to light several disquieting points. First, from court documents we learn that AOL, Yahoo!, and Microsoft have complied with the government´s request, though details are not given. Second, we must face the reality that logs of our online searches are in the hands of search companies and can be quite easily linked to our identities. Thirdly, it is clear we have little idea of, or say in, what can be done with these logs. While, in this instance, Google withheld such records from the Government, it would be foolish to count on this outcome in the future.
TrackMeNot is user-installed and user-managed, residing wholly on users´ system and functions without the need for 3rd-party servers or services. Placing users in full control is an essential feature of TrackMeNot, whose purpose is to protect against the unilateral policies set by search companies in their handling of our personal information. We have developed TrackMeNot as an immediate solution, implemented and controlled by users themselves. It fits within the class of strategies, described by Gary T. Marx, whereby individuals resist surveillance by taking advantage of blind spots inherent in large-scale systems1. TrackMeNot may not radically alter the privacy landscape but helps to place a particularly sensitive arena of contemporary life back in the hands of individuals, where it belongs in any free society.

Special thanks to the NYU Dept of Computer Science, the Media Research Lab, the Mozilla Foundation, Missing Pixel, the Portia Project, Babelzilla, Ernest Davis, Michael Zimmer, John Fanning, and Robb Bifano."

Details and installation from
https://www.cs.nyu.edu/trackmenot/, https://trackmenot.io


Privacy Badger - "Privacy Bader - How does Privacy Badger work?
When you view a webpage, that page will often be made up of content from many different sources. (For example, a news webpage might load the actual article from the news company, ads from an ad company, and the comments section from a different company that´s been contracted out to provide that service.) Privacy Badger keeps track of all of this. If as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger springs into action, telling your browser not to load any more content from that source. And when your browser stops loading content from a source, that source can no longer track you. Voila!
At a more technical level, Privacy Badger keeps note of the "third party" domains that embed images, scripts and advertising in the pages you visit. Privacy Badger looks for tracking techniques like uniquely identifying cookies, local storage "supercookies," first to third party cookie sharing via image pixels, and canvas fingerprinting. If it observes a single third-party host tracking you on three separate sites, Privacy Badger will automatically disallow content from that third-party tracker.
In some cases a third-party domain provides some important aspect of a page´s functionality, such as embedded maps, images, or stylesheets. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies and referrers (these hosts have their sliders set to the middle, “cookie block” position).
Does Privacy Badger account for a cookie that was used to track me even if I deleted it? Yes. Privacy Badger keeps track of cookies that could be used to track you and where they came from, even if you frequently clear your browser´s cookies. Does Privacy Badger still work when blocking third-party cookies in the browser?
When you tell your browser to deny third-party cookies, Privacy Badger still gets to learn from third parties trying to set cookies via HTTP headers (as well as from other tracking techniques such as pixel cookie sharing and canvas fingerprinting). Privacy Badger no longer gets to learn from cookies or HTML5 local storage being set via JavaScript, however. So, Privacy Badger still works, it´ll just learn to block fewer trackers. Clearing history or already-set cookies shouldn´t have any effect on Privacy Badger.
How does Privacy Badger handle social media widgets?
Social media widgets (such as the Facebook Like button, Twitter Tweet button, or Google +1 button) often track your reading habits. Even if you don´t click them, the social media companies often see exactly which pages you´re seeing the widget on. Privacy Badger includes a feature imported from the ShareMeNot project which is able to replace the widgets with a stand-in version, so that you can still see and click them. You will not be tracked by these replacements unless you explicitly choose to click them. Privacy Badger currently knows how to replace the following widgets if they are observed tracking you: AddThis, Facebook, Google, LinkedIn, Pinterest, Stumbleupon, and Twitter. (The source code for these replacements is here; pull requests are welcome.)
Note, that Privacy Badger will not replace social media widgets unless it has blocked the associated tracker. If you´re seeing real social media widgets, it generally means that Privacy Badger hasn´t detected tracking from that variant of the widget, or that the site you´re looking at has implemented its own version of the widget. To avoid confusion, the replacement widgets are marked with the Privacy Badger badge next to the button. To interact with a replacement widget, simply click on it. Depending on the widget, Privacy Badger will either send you directly to the appropriate sharing page (for example, to post a tweet) or it will enable and load the real social widget (for example, the Facebook Like button, with personalized information about how many of your friends have "liked" the page). In the second case, you will still need to interact with the real widget to "like" or share the page."

https://privacybadger.org/#How-does-Privacy-Badger-work
https://privacybadger.org/
https://www.eff.org/files/privacy-badger-latest.xpi
OKLibrefox: https://github.com/intika/Librefox/releases/download/Librefox-v2.1-v64.0.0/Librefox-2.1-Firefox-Linux-64.0.0.zip

OKUpdate MozillaFirefox-52.9.0 (OpenSuSE: Februar 2019, gecko-engine / firefox-extensions ) with the at this time actual firefox-68.6.0 (el6, April 2020, quantum engine / webextensions):

As of February 2019

Enpack the following files out of rpm firefox-68.6.0 (el6, rpm, as of April 2020) into /usr/lib64/firefox/

gtk2 (directory)
fonts (directory)
run-mozilla.sh
libmozavcodec.so
libmozavutil.so
libmozsqlite3.so
libssl3.so (out of rpm openssl-1.1.1a up to openssl-1.1.1e)

Enpack the following files out of seamonkey (el6, rpm, as of: September 2019) into /usr/lib64/firefox/

liblgpllibs.so
libmozsandbox.so
plugin-container.so

Enpack the following files out of seamonkey (el6, rpm, as of: September 2019) into /usr/lib64/firefox/chrome/icons/default

en-US.aff
en-US.dic

Enpack the following files out of seamonkey (el6, rpm, Stand: September 2019) into /usr/lib64/firefox/browser/

blocklist.xml

Eventuelly remove IDs etc.
Edit /usr/lib64/firefox/application.ini and /usr/lib64/firefox/platform.ini and set the values as you like.

user.js
Firefox part within "about:config" gets autoconfigured each start of firefox. The configuration file named user.js making it possible can be found in the profil in /home/surfuser/.mozilla/firefox/profilename/.
Details of user.js are listed furhter below.

Still not updated: libxul.so (gecko, as of: February 2019). If this disturbs you, install seamonkey (el6) or

patch the firefox-source-code with patches from

https://hg.mozilla.org/releases/mozilla-esr60 (diff)
https://hg.mozilla.org/releases/mozilla-esr68 (diff)

OKFirefoxESR-52-patches 2019- up to now:

2019-11-30 Updated package firefox-esr52 52.9.0-5 Muflone
2019-06-22 Updated package firefox-esr52 52.9.0-4 Muflone
2019-06-13 Updated package firefox-esr52 52.9.0-3 Muflone
2018-08-11 Updated package firefox-esr52 52.9.0-2 Muflone
https://aur.archlinux.org/cgit/aur.git/?h=firefox-esr52

Update Mozilla Firefox Javascript
mozjs (el6)
https://fr2.rpmfind.net

Alternatively Firefox-ESR >= 60 (el6), ff-60-ESR (el6), ff-68-ESR (el6), ... with engine Quantum and Webextensions does not enable most important extensions like RequestPolicy(BlockContinued).

OKAnonymizing user-agents for extensions like secretagent:

"Privoxy/1.0"
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
"Mozilla/5.0 (compatible; Gooken; +http://www.gooken.de)"

Warning: This Firefox is without extensions like Request(Block)PolicyContinued !

OK[SOLVED by Gooken, 15.03.2020] Firefox doesn´t show the actual extension version number for the extension installed by rpm within the item "Addons" from menu, so that Firefox is still working with the old, previous version installed before?
This might happen for mozilla-adblockplus for example, as the xpi-file is missing within the package!
Copy all of this extenisons out of /usr/share/mozilla/extensions into /home/surfuser/.mozilla/extensions ("cp -axf"), set the owner- and acess-rights upon it and delete the belonging xpi-file (of the previous version) out of the subdirectory of the profile. Now the correct version number is shown in Addons, with wich Firefox will work in future.

OKDoes the Browser restrict websites (formulars and so on) although extension like ABP, noscript and RequestPolicyBlockContinuned and so on got reconfigured?
If a reconfiguration of the extensions does not help at all, deactivate them in addons->extensions - extension by extension or, if nothing helps: all at once!
Now Firefox-52.9.0-ESR should really enable quit all functionality for websites.
After meant websites are left, do not forget to activate the extensions again!

OK[ SOLVED : Websites with too much restrictions possible caused by extensions or security settings: No possible login etc. ]
If even the resetting of extensions does not help, create one more, new profile in about:profiles, set it temporary to the default profile and
restart firefox.

OKQuit all files of ESR-52.9.0 except libxul.so, some libraries and the mask for settings omni.ja can be exchanged with those from newer Firefox like ESR-60.9.0 and ESR-68.
OKUpdate kmozillahelper (zombie process): kmozillahelper (rosa2014.1) or deinstall it by "rpm -e --nodeps kmozillahelper"

More about "security with firefox (Gecko)":
from this webside further below!

From News&Links#MS_Windows

Force for Edge instead of Firefox
Microsoft aims Firefox-user to change to Edge
, PC-WELT.de, 10.02.2020
Direkt im Startmenü von Windows 10 fordert Microsoft alle Firefox-Nutzer zum Wechsel zu Edge auf.
[...] Die Aufforderung an Firefox-Nutzer zum Umstieg auf Edge sorgt jedoch für viel Aufregung unter den Nutzern.
Schon in der Vergangenheit warb Microsoft sehr direkt für den zum Betriebssystem gehörenden Browser. So fand sich vor vier Jahren etwa eine Werbung für Edge und die Suchmaschine Bing direkt in der Taskbar von Windows 10. Teilnehmer am Insider-Programm sahen sich hingegen zeitweise bei der Installation von Firefox oder Opera mit einer Meldung konfrontiert, in der Microsoft zur Nutzung von Edge aufforderte. In die öffentliche Version von Windows 10 hielt diese Funktion nach der Kritik allerdings nie Einzug. Wer derartige Vorschläge unterbinden möchte, kann dies in den Personalisierungseinstellungen von Windows 10 tun. Dort lassen sich die gut gemeinten Ratschläge von Microsoft abschalten. https://www.pcwelt.de/news/Microsoft-will-Firefox-Nutzer-zum-Umstieg-auf-Edge-bewegen-10752142.html

Münchens Ex-OB: Ballmer jumped angrily through the bureau because of the change to Linux, PC-WELT.de, 12.11.2019
Münchens Ex-OB Christian Ude plaudert aus dem Nähkästchen: Als München von Windows zu Linux wechselte, sprang Steve Ballmer durch Udes Büro. Bill Gates saß fassungslos im Auto mit Ude. Und ausgerechnet eine Grüne war dann plötzlich für die Rückkehr zum Monopolisten.
[...] Das rief den damaligen Microsoft-CEO Steve Ballmer auf den Plan. Er unterbrach seinen Ski-Urlaub in der Schweiz und flog eigens nach München, um Ude umzustimmen. Ballmer sprang Ude zufolge in dessen Amtszimmer herum, pries die Schönheit Münchens - und senkte mehrmals die Kosten für den Umstieg. Um 35 Prozent war das letzte Angebot Ballmers schließlich günstiger geworden - doch Ude blieb hart.
Daran konnte auch Bill Gates nichts ändern, der ebenfalls mit Ude während einer Autofahrt zum Flughafen sprach. Gates verstand Udes Wunsch nach Unabhängigkeit offensichtlich überhaupt nicht und war fassungslos.
[...] Zur Rückwärtsrolle, die ausgerechnet Udes Parteigenosse und Nachfolger als OB Dieter Reiter durchführte, äußert sich Ude ebenfalls. Demnach war es überraschenderweise die damalige OB-Kandidatin der Grünen, die zurück zum Monopolisten wollte. Die Grünen folgte ihrer OB-Kandidatin allerdings nicht und hielten Limux die Treue. Nicht so Reiter: Er trieb als neuer Oberbürgermeister von München zusammen mit seinem Koalitionspartner CSU (die bereits 2003 gegen Linux und für Windows war) die Rückkehr zu Windows voran. Datensicherheit und Unabhängigkeit spielten plötzlich keine Rolle mehr, so Ude. Von den Kosten ganz zu schweigen.
https://www.pcwelt.de/news/Muenchens-Ex-OB-Ballmer-sprang-durchs-Buero-wegen-Wechsel-zu-Linux-10700234.html

Microsoft-enforcing-registration: Your right for the data, PC-WELT
Wir haben zur Rechtslage einen Experten befragt: Ein Anbieter muss vorher sagen, welche Informationen er über Sie speichert. Außerdem hat die…
https://pcwelt.de/news/Microsoft-Zwangsregistrierung-Ihr-Recht-auf-Daten-138641.html

Windows 10 and Microsoft Office 2016 and the fact about encforced registrations, merkst.de
Mit dem Aktivierungszwang der Office-Pakete und auch Windows 10, die im Laden mit einem Aktivierungs-Code verkauft werden, verstößt Microsoft meiner Meinung nach gegen …
https://merkst.de/microsoft-office2016-sache

Nun, wenn ich sowas wie Windows oder Office kaufe, besitze ich über Registrierung bei Herstellerfirma Microsoft die Berechtigung (Lizenz) zur Nutzung durch Installation.
Was aber passiert, wenn ich Windows nicht erwerbe? Dann kommt es einmal mehr zur Registrierung all der Versionen von MS Windows und Office, die eben nicht erworben wurden. All diese Registrierungen (samt Nicht-Registrierungen) lassen sich evaluieren und das Ergebenis der Evaluierung an Staat und andere Firmen usw. weiterleiten, mit jeder Menge Kundenservice im Fall der Gunst (Erwerb) oder eben jeder Menge Repressalien (bei Nichterwerb), angefangen mit schweren, rechnen zu müssen. Auf der Flucht vor Repressalien kann dann umgekehrt hersteller- und firmenseits mit immer größerem Absatz (Marktanteil) und Umsätzen gerechnet werden...
Eine Evaluierung kann oder genauer könnte hier nur wie folgt lauten: "keinerlei Windows (so dass auch kein Office)" -> "schwer zu bekriegender firmen- und staatsfeindlicher Terrorist bzw. Gefährder", "die eine oder andere alte Windows-Version" -> "fahnenflüchtig", ..., "neueste oder alle Windows- und Office-Versionen" -> großer Freund&quor;, d.h. "mit jeder Menge Anspruch auf Support und Kundenservice". Das Ganze kommt auch f¨r registrierungspflichtige Waren anderer, insbesonders einflussreicher Hersteller wie Apple, Amazon, Google, Zalando und ( für alle unmittelbar einsichtig bei) Facebook (&uum;ber ausgebliebene Anmeldung bzw. Anmeldung, Grad der Aktivität und etwaige Abmeldung) in Betracht...
Mit anderen Worten besteht dann Kaufzwang (bei Facebook Meldepflicht ( Anmeldepflicht ) und Pflicht zur Aktivität).

Patch-Day: Microsoft patched 88 security exploits, PC-WELT.de, 17.06.2019
Beim Update-Dienstag im Juni hat Microsoft 88 Schwachstellen beseitigt. Kritische Lücken stecken in Windows, Edge und IE.
https://www.pcwelt.de/news/Patch-Day-Microsoft-stopft-88-Schwachstellen-10608550.html

Windows needs Linux: Otherwise Microsoft does not have a future, CHIP, 17.04.2016
VON CLAUDIO MÜLLER
Microsoft hat Linux in Windows 10 integriert. Aber nicht nur, um Entwicklern eine Freude zu machen. Für den Konzern geht es um die Zukunft - und die ist ohne Linux undenkbar
http://www.chip.de/news/Windows-10-braucht-Linux-Denn-Microsoft-hat-sonst-keine-Zukunft_92315506.html

Viruses, trojans, worms, bots: More than 40 percent of all Computer in Germany are "zombies", FOCUS Online, 02.03.2014
Die Zahlen sind alarmierend: 40 Prozent aller PCs in Deutschland sind infiziert und können von Cyber-Gangstern ferngesteuert werden. Einmal freigesetzt, öffnet Malware oft die Hintertür für neue Schädlinge. Wie Sie sich schützen können. Die Zahl infizierter Computer ist in Deutschland im vergangenen Jahr wieder auf 40 Prozent gestiegen. Das stellte das Anti-Botnet-Beratungszentrum des Internetverbandes Eco fest. 2014 habe man mehr als 220.000 Computer gescannt, auf denen zu etwa 80 Prozent ein veralteter Browser installiert war. Diese ermöglichen häufig die Übernahme durch Trojaner und Viren. Ein erster Schädling öffne häufig die Tür für weitere Infektionen, erklärt der Verband. "Zombie-Rechner" können ferngesteuert werden. Infizierte sogenannte "Zombie-Rechner" können von Cyberkriminellen ferngesteuert werden. "Ihre Systeme agieren als Teil eines Netzwerkes, das Kriminelle für Verbrechen wie den Spam-Versand oder Denial-of-Service-Angriffe nutzen, die erhebliche finanzielle Schäden anrichten", erklärt Markus Schaffrin, Sicherheitsexperte im Eco. Das Ergebnis sei alarmierend, sagt Eco. Für nachhaltige Sicherheit, sei eine korrekt eingestellte Firewall und ein Antivirenprogramm notwendig, heißt es vom Verband. Wie Sie den besten Virenscanner finden, erklärt FOCUS Online hier (wir, Gooken, empfehlen den auf allen verbreiteten Betriebssystemen installierbaren und somit unter umfassender Begutachtung stehenden Opensource-Scanner Clamav).

Windows 10 - A singe data protection accident l
Politik zur Datenschleuder Windows 10: Aufsichtsbehörden müssen handeln
, netzpolitik.org, 29.11.2018
Das Bundesamt für Sicherheit in der Informationstechnik bestätigte ...
Fortsetzung des Berichs auf siehe News&Links#Zerschlagungsfall_MSWindows_Google_&Co. und
https://netzpolitik.org/2018/politik-zur-datenschleuder-windows-10-aufsichtsbehoerden-muessen-handeln/
News&,Links#MS Windows

Tests in year 2016: about 5500 connection buildup attempts each day of Microsoft Windows 10 into the internet
Several contacts to internet server fast in a few seconds
Windows-Data-protection on BSI-level - howto
, PC-WELT.de, 17.04.2019
Forstetzung des Berichts mit zugehörigen Sicherheits-Einstellungen: News&Links#MSWindows und
https://www.pcwelt.de/a/bundesamt-fuer-it-sicherheit-bsi-untersucht-sicherheit-von-windows-10,3463082

Malware Rekord 2019: Trojaner Emotet hat bereits über 30.000 Varianten, trojaner-info.de, 16.07.2019
Im ersten Halbjahr 2019 hat G DATA bereits mehr Versionen des Trojaners Emotet entdeckt, als im gesamten Jahr 2018.
Der Trojaner Emotet ist eine der häufigsten und gefährlichsten Bedrohungen für Unternehmen. Die Allzweckwaffe des Cybercrime wird von Kriminellen meist zur gezielten Spionage in Unternehmen genutzt. Nach der initialen Infektion kommt dann weitere Malware wie Trickbot oder die Ransomware Ryuk zum Einsatz. Im ersten Halbjahr 2019 registrierten die Sicherheitsexperten von G DATA bereits mehr als 33.000 Varianten der Schadsoftware - mehr als im gesamten Jahr 2018.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/malware-rekord-2019-trojaner-emotet-hat-bereits-ueber-30-000-varianten.html

Malware-Kampagne: Microsoft warnt vor Astaroth, trojaner-info.de, 16.07.2019
Die Astaroth-Kampagne nutzt eine dateilosen Ausführungs- und Live-Off-the-Land-Technik. Dadurch sind Angriffe nur sehr schwer zu entdecken.
Das Microsoft-Sicherheitsteam hat aktuell eine Warnung vor laufenden Malware-Kampagnen herausgegeben, die die Astaroth-Malware mit Hilfe von Fileless und Living-Off-the-Land-Techniken verbreiten, die es für traditionelle Antivirenlösungen schwieriger machen, die laufenden Angriffe zu erkennen.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/malware-kampagne-microsoft-warnt-vor-astaroth.html

Mozilla blockt Staats-Hacker, trojaner-info.de, 15.07.2019
Mozilla konstatierte: DarkMatter stelle "eine signifikante Bedrohung" für die Sicherheit der User dar.
Das laut Firmenangaben in der IT-Security tätige Unternehmen DarkMatter aus den Vereinigten Arabischen Emiraten hat zwei Gesichter. Jenes des rasant wachsenden IT-Sicherheitsanbieters, der etwa als Zertifikatdienstleister für ein sicheres Internet sorgen will. Und jenes des Arbeitgebers ehemaliger NSA-Agenten, der Regierungen Spionagedienste anbietet und Dissidenten ausspäht.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/mozilla-blockt-staats-hacker.html

MacOS: 10-fach von Malware bedroht, trojaner-info.de, 16.07.2019
SentinelOne erkannte, dass Cyberkriminelle die Mac-Plattform von Apple vermehrt fokussieren und auch immer häufiger Erfolg haben.
Trotz aller gegenteiligen Behauptungen, auch Mac-User sind nicht immun gegen Kompromittierungen oder gefährliche Infektionen: Allein in den ersten sechs Monaten des Jahres 2019 identifizierten die Security-Forscher von SentinelOne mindestens zehn verschiedene Arten von Malware, die speziell auf MacOS abzielen, wie infopoint-security.de dazu ausführte.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/macos-10-fach-von-malware-bedroht.html

Nvidia bestätigt: Treiber zeichnet Nutzer-Daten auf, PCWELT, 09.11.2016
Durch das Programm Geforce Experience kann Nvidia viele Informationen zum PC auslesen. Update: Stellungnahme von Nvidia.

Vorwurf: nvidia-Treiber zeichnet Telemetrie-Nutzerdaten auf, PCWELT, 07.11.2016
Durch den Grafikkartentreiber sowie das Programm Geforce Experience kann Nvidia viele Informationen zum PC auslesen.
Nutzer von Nvidia-Grafikkarten verwenden meist offizielle Treiber oder das Programm Geforce Experience . Beide Software-Bestandteile sollen unzählige Daten über den Rechner des Nutzers an Nvidia senden. Auf das Abgreifen derartiger Telemetrie-Daten wies das französische Magazin CanardPC Hardware schon vor einigen Monaten hin. Aufregung entstand jedoch erst nach der übersetzung des Artikels auf Reddit.
Demnach soll Nvidia die ID und Größe des Monitors an Tracker von Adobe und Google senden. Informationen zur verbauten CPU und installierten Laufwerken wandern hingegen an die Server des Grafikkartenherstellers. Nach der Installation von Geforce Experience wird der PC sogar komplett analysiert, inklusive Details zu Mainboard, Seriennummer, BIOS-Version, USB-Laufwerken oder RAM-Größe. Konkurrent AMD geht bei seinen Grafikkartentreibern sparsamer mit erfassten Daten um. Laut CanardPC Hardware werden nur bei der Installation wenige Informationen zum Rechner erfasst.
https://www.pcwelt.de/news/Vorwurf-Nvidia-zeichnet-Telemetrie-Daten-per-Treiber-auf-10070735.html

Cyber criminality: The digital front: How the German Army (Bundeswehr) does weapon against hacker attacks
The fight of the future are happening in the internet: election manipulation, data robbery, attacks in the infrastructure. Everything is vulnerable. Read how Bundeswehr protects companies and provisioners
6 Billionen Dollar damage by cyber criminality
, STERN.de, 03.08.2019
https://www.stern.de/digital/cyber-crime--bundeswehr--unternehmen-und-versorger-wappnen-sich-8830388.html

Because of radiation: Class action lawsuit against Apple and Samsung, PC-WELT.de, 26.08.2019
Smartphones geben mehr Strahlung ab, als eigentlich erlaubt. Das berichtete in der vergangenen Woche eine amerikanische Zeitung. Diesem Bericht folgt bereits die erste Sammelklage einer kleinen Kanzlei aus Atlanta.
Die Chicago Tribune hat mehrere Smartphones auf die abgegebene Strahlung hin getestet. Dabei kam die Zeitung zu dem Schluss, dass einige Geräte die festgeschriebenen Grenzwerte nicht einhielten. Wir berichteten. Über einen Facebook-Post ließ die Anwaltskanzlei Fegan Scott LLC gestern verlauten, eine Sammelklage gegen Apple und Samsung eingereicht zu haben. Sie werfen den Konzernen vor, durch die vermeintlich (die Ergebnisse einer neuen Untersuchung durch die amerikanische Behörde FCC stehen noch aus) erhöhten Strahlenwerte die Gesundheit der Gerätenutzer zu gefährden. Außerdem sei die Werbung zu den Produkten irreführend und spiele die Gefahren von Strahlung, die durch Smartphones abgegeben wird, herunter, ignoriere sie sogar komplett. So wird Apple und Samsung vorgeworfen, mit Slogans wie "Studio in your pocket" zu sugerrieren, dass Smartphones risikofrei in der Hosentasche transportiert werden können.
Die 44-seitige Anklageschrift bezieht sich zu großen Teilen auf den Artikel der Chicago Tribune, aber auch auf verschiedene Studien, welche die Schädlichkeit von Smartphone-Strahlung belegen sollen. Dabei ist diese wissenschaftlich durchaus umstritten. Für mehr Informationen zu diesem Thema empfehlen wir den Gast-Beitrag unseres Experten Dennis Bederov. In diesem Beitrag haben wir die Problematik der SAR-Messungen zusammengefasst und erklärt, warum diese nicht immer aussagekräftig sind.
Sammelklagen gegen große Konzerne und Behörden sind keine Seltenheit. Erst vor wenigen Monaten startete in den USA eine Sammelklage gegen die US-Behörde FCC wegen der Zulassung von 5G-Mobilfunk. Auch in diesem Fall gehört die Gefährdung der Allgemeinheit zu den Vorwürfen, ohne dass diese wissenschaftlich einwandfrei erwiesen ist.
https://www.pcwelt.de/news/Wegen-Strahlung-Sammelklage-gegen-Apple-und-Samsung-eingereicht-10654270.html

Mord on rates - Stopp 5G and the BRD !, brd-schwindel.ru, 19.04.2019
Folgende Zitatesammlung zeigt, dass man schon lange über die Gefahren der Mobilfunktelefonie Bescheid weiß und welche Schäden diese im menschlichen Organismus anrichtet, vor allem im Gehirn. Und dabei geht es nicht einmal um 5G. Man kann sich ausrechnen, dass sich die Belastung um einiges potenziert. Wir sind ohne 5G schon enormen Strahlungen ausgesetzt. 5G NEIN DANKE
Die Zitatensammlung stammt aus wissenschaftlichen Arbeiten, Fachveröffentlichungen, Presseagenturmeldungen, Büchern, Vorträgen, Zeitungen, von Ärzten, Ämtern, Experten, dem Internet, den Nachrichten, wurden im Radio gehört, im Fernsehen gesehen…

https://brd-schwindel.ru/mord-auf-raten-stoppt-5g-und-die-brd/

From this excurs

USA
Gemeinschaft::Organisationen
Linus Tovalds: "Grsecurity-Patches are rubbish"
59.900,50 US-Dollar for working hours and 2.403,12 US-Dollar for expenses
Grsecurity shall pay attorney fees

https://www.pro-linux.de/news/1/25985/grsecurity-soll-anwaltsgeb%C3%BChren-zahlen.html

"I too trust grsecurity/pax, my Debian wouldn"t be in harmony with me and my world without them... Anyone else to pitch in and help/lobby/solve our queries?"
http://forums.debian.net/viewtopic.php?t=103302

Wir halten die grsecurity-Linux-Kernel-Patches und paxctld für unverzichtbar, wie allein aus der ausführlichen Konfiguration der zahlreichen Einzelpunkte nach dem Einspielen der Patches hervorgehend, Anm., Gooken:
grsecurity-patch - Components, en.wikipedia.org
PaX
A major component bundled with grsecurity is PaX. Among other features, the patch flags data memory, the stack, for example, as non-executable and program memory as non-writable. The aim is to prevent memory from being overwritten, which can help to prevent many types of security vulnerabilities, such as buffer overflows. PaX also provides address space layout randomization (ASLR), which randomizes important memory addresses to reduce the probability of attacks that rely on easily predicted memory addresses.

Role-based access control

Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability of the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what it can or cannot do, and these roles and restrictions form an access policy which can be amended as needed.

A list of RBAC features

Domain support for users and groups
Role transition tables
IP-based roles
Non-root access to special roles
Special roles that require no authentication
Nested subjects
Support for variables in the configuration
And, or, and difference set operations on variables in configuration
Object mode that controls the creation of setuid and setgid files
Create and delete object modes
Kernel interpretation of inheritance
Real-time regular expression resolution
Ability to deny ptraces to specific processes
User and group transition checking and enforcement on an inclusive or exclusive basis
/dev/grsec entry for kernel authentication and learning logs
Next-generation code that produces least-privilege policies for the entire system with no configuration
Policy statistics for gradm
Inheritance-based learning
Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
Full path names for offending process and parent process
RBAC status function for gradm
/proc//ipaddr gives the remote address of the person who started a given process
Secure policy enforcement
Supports read, write, append, execute, view, and read-only ptrace object permissions
Supports hide, protect, and override subject flags
Supports the PaX flags
Shared memory protection feature
Integrated local attack response on all alerts
Subject flag that ensures a process can never execute trojaned code
Full-featured, fine-grained auditing
Resource, socket, and capability support
Protection against exploit bruteforcing
/proc/pid filedescriptor/memory protection
Rules can be placed on non-existent files/processes
Policy regeneration on subjects and objects
Configurable log suppression
Configurable process accounting
Human-readable configuration
Not filesystem or architecture dependent
Scales well: supports as many policies as memory can handle with the same performance hit
No run-time memory allocation
SMP safe
O(1) time efficiency for most operations
Include directive for specifying additional policies
Enable, disable, reload capabilities
Option to hide kernel processes


Chroot restrictions

grsecurity restricts chroot in a variety of ways to prevent various vulnerabilities and privilege escalation attacks, as well as to add additional checks:
No attaching shared memory outside chroot
No kill, ptrace (architecture-independent), capget, setpgid, getpgid and getsid outside chroot
No sending of signals by fcntl outside chroot
No viewing of any process outside chroot, even if /proc is mounted
No mounting or remounting
No pivot_root
No double chroot
No fchdir out of chroot
Enforced chdir("/") upon chroot
No (f)chmod +s
No mknod
No sysctl writes
No raising of scheduler priority
No connecting to abstract unix domain sockets outside chroot
Removal of harmful privileges via cap


Miscellaneous features

Among other things, it can be configured to audit a specific group of users, mounting/unmounting of devices, changes to the system time and date, and chdir logging. Some of the other audit types allow the administrator to also log denied resource attempts, failed fork attempts, IPC creation and removal, and exec logging together with its arguments.
Trusted path execution is another optional feature that can be used to prevent users from executing binaries not owned by the root user, or world-writable binaries. This is useful to prevent users from executing their own malicious
binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user. grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. There are ways to "break out" of a chroot jail, which grsecurity attempts to prevent.
There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg and netstat commands to the root user.[13]

List of additional features and security improvements

/proc restrictions that do not leak information about process owners
Symlink/hardlink restrictions to prevent /tmp races
FIFO restrictions
dmesg restriction
Enhanced implementation of trusted path execution
GID-based socket restrictions
Nearly all options are sysctl-tunable, with a locking mechanism
All alerts and audits support a feature that logs the IP address of the attacker with the log
Stream connections across Unix domain sockets carry the attacker´s IP address with them (on 2.4 only)
Detection of local connections: copies attacker´s IP address to the other task
Automatic deterrence of exploit brute-forcing
Low, medium, high, and custom security levels
Tunable flood-time and burst for logging
https://en.wikipedia.org/wiki/Grsecurity

Software::Kernel
Grsecurity (RSBAC, RSBAC-Kernel) protects the Linux-kernel against Return-Oriented-Programming-attacks
, Pro-Linux.de, 09.02.2017
Das Grsecurity-Projekt hat einen Patch für Linux 4.9 vorgestellt, der erstmals Angriffe, die auf Sprüngen in bereits vorhandenen regulären Code beruhen, verhindert.
http://www.pro-linux.de/news/1/24438/grsecurity-schützt-linux-kernel-vor-return-oriented-programming-angriffen.html

Subgraph OS: is a special hardened Linux with Grsecurity/PaX kernel patches. All applications are isolated from eachother by a sandbox. Tor Onion Router wird standardmäßig als Anonymisierungsdienst genutzt. Derzeit steht eine Alpha Version zum Download bereit. Das ISO-Image kann auch als Live-DVD als Alternative zu TAILS genutzt werden.
https://www.privacy-handbuch.de/handbuch_24o.htm

Automatically responds to exploit bruteforcing, grsecurity.org, 23.09.2019
Even if all system-level infoleak sources and methods of entropy reduction are closed down, there remains the fact that a Linux system is generally unable to prevent bruteforcing of arbitrary network services and suid/sgid binaries. Grsecurity solves this issue by forcing a delay between forks of network services being bruteforced and bans users from executing suid/sgid apps for a period of time if they cause one to crash. Grsecurity takes a similar approach to preventing repeated attempts at exploiting kernel vulnerabilities. After the first detected attempt causing an OOPS message, grsecurity bans that unprivileged user from the system until restart.
https://grsecurity.org/features

Hardened BPF JIT against spray attacks, grsecurity.org, 23.09.2019
The Linux kernel contains functionality that allows it to generate machine code at runtime to speed up packet filtering and SECCOMP rules. This functionality can be abused by attackers as they are able to both pre-determine the contents of the generated machine code and also fully control certain arbitrary values within that content that permit them to execute arbitrary code through an unintended instruction sequence. Grsecurity uses a technique called "constant blinding" to prevent an attacker from having enough control over the generated machine code to launch a successful attack. Unlike upstream´s attempts at resolving this problem, our solution is resistent to leaks of the location and contents of the JIT-generated code.
In the default, JIT-disabled mode, grsecurity also protects the execution environment against a corrupted interpreter buffer.
Finally, the use of RAP will prevent JIT spray attacks in general by ensuring that no functions can call, jump, or return to anywhere in the middle of a JIT-compiled BPF filter.
https://grsecurity.org/features

Random padding between thread stacks, grsecurity.org, 23.09.2019
Linux distros generally do not compile code with the -fstack-check flag to GCC, making it possible to exploit incorrectly-sized calls to alloca(). By taking advantage of pthread´s behavior of allocating quickly-created thread stacks adjacent to each other, the stack of another thread can be reliably modified to achieve exploitation. Randomizing the offset between thread stacks removes the reliability of this technique, generally reducing the exploit to a crash.
https://grsecurity.org/features

Prevents kernel stack overflows on x64, grsecurity.org, 23.09.2019
While vulnerabilities arising through the improper use of variable-length-arrays (VLAs) and runtime stack allocation are handled automatically with a GCC plugin, grsecurity also provides a feature to prevent exploitation arising from other sources of kernel stack overflows: deep nesting and recursion. On a mainline Linux kernel, a kernel task is free to overflow its stack into adjacent heap objects in order to escalate privilege. Grsecurity places kernel stacks non-contiguously in a separate memory region on 64-bit architectures to avoid any such abuse.
https://grsecurity.org/features

Prevents userland code execution by kernel, grsecurity.org, 23.09.2019
PaX´s KERNEXEC feature effectively prevents the kernel from executing code in userland through memory corruption. This feature is provided for x86, x64, and ARM, even on processors that don´t support SMEP or PXN."
https://grsecurity.org/features

Prevents direct userland access by kernel, grsecurity.org, 23.09.2019
Through PaX´s UDEREF feature, grsecurity forces any userland data access to go through an approved accessor. This prevents exploitation of an entire class of vulnerabilities that includes null pointer dereferences and dereferences of magic values that point into userland (e.g. 0xAAAAAAAA on 32-bit systems). This feature is provided for x86, x64, and ARM, even on systems without SMAP or PAN support.
https://grsecurity.org/features

Bounds checks on kernel copies to/from userland, grsecurity.org, 23.09.2019
This feature hardens the functions the Linux kernel uses to copy data to and from user applications. It ensures copies to/from a heap object don´t exceed the object´s size and that stack copies don´t exceed the size of the stack frame. It further prevents modifying or leaking sensitive kernel objects via these functions.
https://grsecurity.org/features

Industry-leading ASLR, grsecurity.org, 23.09.2019
Grsecurity has led the way over the years in providing a proper ASLR implementation that deals with the many ways in which an attacker can influence ASLR or defeat it through system-provided information leaks and entropy reduction. In addition, the number of bits of entropy applied to randomization of each memory region is significantly higher in grsecurity compared to upstream´s weaker ASLR implementation.
https://grsecurity.org/features

Grsecurity leads in Spectre Defense, grsecurity.org, 23.09.2019
Unlike the manual, ad-hoc approach to finding and fixing Spectre v1 vulnerabilities employed elsewhere, our much higher coverage Respectre™ compiler plugin discovers and automatically instruments the code with high-performance fixes.
https://grsecurity.org/

Grsecurity Adds Confidence to Containers
No security strategy for today´s container-based deployments is complete without grsecurity®. Our unmatched defenses add critical hardening to the Linux kernel, a ripe source of vulnerabilities and involved in most container escapes.
https://grsecurity.org/

Grsecurity Ends Code Reuse Attacks, grsecurity.org, 23.09.2019
RAP® is our patented and best-of-breed Control Flow Integrity (CFI) defense against code reuse attacks like ROP. Its performance, security guarantees, and ability to scale to complex C/C++ codebases of arbitrary size are unmatched.
https://grsecurity.org/

Grsecurity® is an extensive security enhancement to the Linux kernel, that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration.
It has been actively developed and maintained for the past 18 years. Commercial support for grsecurity is available through Open Source Security, Inc.
https://grsecurity.org/

Grsecurity Leads in Spectre Defense, grsecurity.org, 23.09.2019
Unlike the manual, ad-hoc approach to finding and fixing Spectre v1 vulnerabilities employed elsewhere, our much higher coverage Respectre™ compiler plugin discovers and automatically instruments the code with high-performance fixes.
https://grsecurity.org/

Grsecurity Adds Confidence to Containers
No security strategy for today´s container-based deployments is complete without grsecurity®. Our unmatched defenses add critical hardening to the Linux kernel, a ripe source of vulnerabilities and involved in most container escapes.
https://grsecurity.org/

Grsecurity Ends Code Reuse Attacks, grsecurity.org, 23.09.2019
RAP® is our patented and best-of-breed Control Flow Integrity (CFI) defense against code reuse attacks like ROP. Its performance, security guarantees, and ability to scale to complex C/C++ codebases of arbitrary size are unmatched.
https://grsecurity.org/

Grsecurity® is an extensive security enhancement to the Linux kernel, that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration.
It has been actively developed and maintained for the past 18 years. Commercial support for grsecurity is available through Open Source Security, Inc.
https://grsecurity.org/

Gentoo stops hardened kernel, PRO LINUX.de
Das Gentoo-Projekt hat den auf Grsecurity aufbauenden "Hardened-Kernel" eingestellt. Wie die Verantwortlichen auf der Seite des Projektes bekannt gaben, kann durch die nicht mehr öffentlich verfügbaren Quellen nicht mehr gewährleistet werden, dass Korrekturen zeitnah für die Kernelreihe ausgeliefert werden können.
Das seit 16 Jahren bestehende Grsecurity-Projekt bezeichnet sich selbst als "Pionier von Lösungen", die den Linux-Kernel gegen Sicherheitslücken weniger anfällig machen sollen. Nicht nur Linux profitierte davon, sondern alle modernen Betriebssysteme übernahmen einige der Maßnahmen. Grsecurity selbst ist allerdings nicht unumstritten. Zum einen bemängeln Entwickler wie beispielsweise Linus Torvalds dass Grsecurity alles dem Aspekt der Sicherheit unterwirft. Zum anderen machte sich das Projekt in der Vergangenheit unbeliebt, als es ankündigte, künftig Patches nur noch zahlenden Kunden zur Verfügung zu stellen. Hintergrund der Entscheidung war, dass das Projekt zu wenig Einkünfte aus seiner Arbeit beziehe, da zu viele Anwender die Patches einfach kostenlos nutzen.
Ein solcher Nutzer ist die freie Distribution "Gentoo", die sich an fortgeschrittene Linux-Anwender richtet, die ihr System individuell einrichten möchten. Gentoo bietet seinen Benutzern seit geraumer Zeit einen speziellen Kernel an, der Patches von Grsecurity umfasst. Der als "Hardened Kernel" bekannte Zweig wird durch die Entwickler in Eigenregie gepflegt und mit Aktualisierungen versehen, was unter anderem für erhöhte Sicherheit sorgen soll. Doch damit ist nun Schluss.
Laut einer Ankündigung auf der Projektseite wird Gentoo bereits Ende dieser Woche die Unterstützung der Hardened-Kernelquellen einstellen. Wie Francisco Blas Izquierdo Riera schreibt, ist es den Entwicklern durch die Grsecurity-Einschränkungen nicht mehr möglich, die Sicherheit des Systems zu garantieren. Ab 27. August werden die Kernel-Quellen deshalb nicht mehr angeboten werden. Ende September sollen sie schlussendlich komplett aus den Repositorien entfernt werden. Anwender, die von der änderung betroffen sind, sind deshalb aufgefordert, sys-kernel/gentoo-sources zu verwenden.
Wie die Entwickler weiter schreiben, ist die Entfernung der Quellen allerdings nicht endgültig. Sollten sich die Entwickler von Grsecurity dazu entschließen, die Patches wieder öffentlich zugänglich zu machen, würde auch Gentoo wieder einen entsprechenden Kernel anbieten. Die "Härtung" des Systems mittels SELinux und Userspace-Tools ist von der Änderung nicht betroffen.
https://www.pro-linux.de/news/1/24817/gentoo-stoppt-sicherheitsunterstützung-für-sparc.html

Stack-Clash-exploit in kernel and glibc
Torvalds: "Grsecurity-Patches are rubbish"
, pro-linux.de, 27.06.2017
In einer Diskussion um die Stack-Clash-Sicherheitslücke hat sich auch der Linux-Schöpfer Linus Torvalds zu Wort gemeldet. Darin stellte er unter anderem seine Meinung über Grsecurity vor und ließ an dem Projekt wenig Gutes. Grsecurity selbst bemängelt dagegen den amateurhaften Umgang mit der Lücke.
Bereits seit Ende der vergangenen Woche macht eine neue Sicherheitslücke die Runde, die - wie mittlerweile üblich - unter einem eigenen Namen geführt wird. Die als "Stack Clash" geführte Schwachstelle hat eine Rechteausweitung zur Folge und kann von Angreifern lokal für Angriffe auf Linux und Unix-Systeme genutzt werden. Wie Forscher von Qualys herausgefunden haben, lässt sich dabei die Sicherheitsvorkehrung der Speicherverwaltung des Kernels umgehen und benachbarte Speicherstellen überschreiben. Die eigentlich für den Schutz vorgesehene "Stack Guard Page", die im Kernel die Rechteausweitungen durch Speichermanipulationen verhindern soll, ist dabei kein Schutz, denn Lücken im Linux-Kernel (CVE-2017-1000364) und in der glibc (CVE-2017-1000366) können diesen umgehen.
Im Zuge der Diskussion um "Stack Clash", die auch unter den Kernel-Entwicklern geführt wurde, kamen deshalb diverse Vorschlage auf, wie der Schutz des Kernels erhöht werden kann. Einer der Fragenden stelle die These auf, ob es nicht dienlich sein würde, sich die Lösungen von Grsecurity anzuschauen und diverse Ansätze zu prüfen. Grsecurity, das unter anderem erhebliche Einschränkungen von Benutzern und deren Prozessen ermöglicht und das Prinzip des geringsten Privilegs verfolgt, kann laut eigenen Aussagen zahlreiche Angriffe verhindern und versteht sich selbst als eine sichere Erweiterung des Standardkernels.
Weniger begeistert von dem Projekt scheint allerdings der Vater des Kernels, Linus Torvalds, zu sein. In einer Antwort wetterte er gegen das Projekt und riet von seiner Nutzung ab. Laut Aussage des Entwicklers verfolge Grsecurity einen Ansatz, wonach es nur um Sicherheit um der Sicherheit Willen gehe. Ob dabei Sachen nicht mehr funktionieren, kümmere das Projekt nicht. "Das Ding ist ein Witz und sie sind Clowns", schreibt Torvalds. "Ihre Patches sind reiner Müll".
Torvalds´ harsche Reaktion dürfte nicht von ungefähr kommen. Zuvor hatte Initiator von Grsecurity, Brad Spengler, den Entwicklern des Kernels Ignoranz vorgeworfen und den Umgang der Gemeinschaft mit dem Stack-Problem kritisiert. So sei laut Spengler das Problem durch eine verfrühte Aktion von Torvalds entstanden und gänzlich unüberlegt gewesen - was man auch der Historie der änderung entnehmen kann. Die von Grsecurity in der Vergangenheit geäußerte Kritik an der Lösung blieb unbeantwortet und Verbesserungsvorschläge wurden ignoriert. Nun sei das Kind aber in den Brunnen gefallen, so Spengler.
https://www.pro-linux.de/news/1/24879/torvalds-grsecurity-patches-sind-müll.html

Linux-Nutzer are threatened by Crypto-Miner, www.trojaner-info.de, 08.01.2018
Laut F5 Networks soll das Botnetz derzeit nicht aktiv sein.
Es ist ein Python-basierter Crypto-Miner, der sich über das SSH-Protokoll verbreitet. Die Linux-Systeme werden von der Malware mittels Brute-Force-Attacke infiziert. Die kriminellen Autoren der Malware sollen bis Ende des vergangenen Jahres Bitcoins im Wert von 46.000 US-Dollar abgezapft haben, wie die Forscher von F5 Networks festgestellt haben. https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/linux-nutzer-von-crypto-miner-bedroht.html

Dr. Web warns against old IoT-Linux-trojans, PCWELT.de, 05.10.2017
Der Antiviren-Softwarehersteller Dr. Web warnt vor einem Trojaner, der Linux-Systeme befällt und für den Versand von Spam eingesetzt werden soll. Der als "Linux.ProxyM" bekannte Schädling nutzt zwar keine bekannte Linux-Lücke, dafür aber schlecht abgesicherte IoT-Geräte.
https://www.pro-linux.de/news/1/25210/dr-web-warnt-vor-altem-iot-linux-trojaner.html

Software::Kernel
Quarrel about kernel-lockdown, PRO LINUX, 06.04.2018
In den letzten Tagen wurde aus dem Lager der Kernel-Entwickler Kritik an einer Patch-Serie laut, die unter den Begriff "Kernel Lockdown" bekannt wurde.
Red-Hat-Entwickler David Howells Patch-Serie für den sogenannten Kernel Lockdown erregt derzeit die Gemüter einiger Kernel-Entwickler mit Linus Torvalds an der Spitze. Mit Kernel Lockdown soll verhindert werden, dass Root den Kernel zur Laufzeit verändert. Bereits seit über einem Jahr befanden sich die zwischenzeitlich überarbeiteten Patches in Linux-Next, wo Patches getestet werden, bevor sie für den Mainline-Kernel vorgeschlagen werden.
https://www.pro-linux.de/news/1/25770/streit-um-kernel-lockdown.html

There is new Linux-Malware up to you, trojaner-info.de, 21.07.2019
Linux gilt gemeinhin als äußerst sicheres Betriebssystem.
Es ist eine neue Linux-Spyware namens EvilGnome, die speziell für den Angriff auf Desktop-Nutzer ausgelegt ist. Einmal infiziert, überträgt der Schädling Dateien von betroffenen Systemen auf die Server der Kriminellen, wie pctipp.ch warnt.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/neue-linux-malware-unterwegs.html

OpenSource-Linux-Kernel up to Kernel-4.15 - not all parts are opensource, PRO LINUX, 2018
sondern kleinere Sub-Kernel immer noch closed-source-US-Firmware
Bericht von pro-linux.de, Fortsetzung des diesen Sachverhalt beschreibenden Berichts siehe unter "Universal Linux 2010" #Updaten

PRO LINUX.de: Listing von Linux-Updates, -Patches, -Bugfixes 2010 up to day
Nachstehend finden Sie alle aktuellen Sicherheitsmeldungen der wichtigsten Distributionen mit Angabe der Distribution, des Veröffentlichungsdatums und der behandelten Sicherheitslücke.
Nur ein kleiner Auszug und fast täglich Neueinträge...
https://www.pro-linux.de/sicherheit/1/1/1.html

Software::Kernel
Security exploits within TCP-code in the kernel
, PRO LINUX, 21.06.2019
Ein Team bei Netflix hat drei Sicherheitslücken im TCP-Code im Kernel entdeckt. Durch speziell präparierte SACK-Pakete lässt sich im schlimmsten Fall ein Kernel-Stillstand erzielen. Alle Linux- und FreeBSD-Anwender sollten ihren Kernel aktualisieren oder temporäre Gegenmaßnahmen ergreifen.
https://www.pro-linux.de/news/1/27174/sicherheitsl%C3%BCcken-im-tcp-code-im-kernel.html

Security exploits of 40 kernel-driver published, PC-WELT.de, 12.08.2019
Sicherheitsforscher haben eine Liste mit 40 Kernel-Treibern von 20 Anbietern veröffentlicht, die Sicherheitslücken enthalten.
https://www.pcwelt.de/news/Sicherheitsluecken-in-40-Kernel-Treibern-von-20-Anbietern-veroeffentlicht-10645653.html

Nvidia confirms: driver protocol user data, PCWELT, 09.11.2016
Durch das Programm Geforce Experience kann Nvidia viele Informationen zum PC auslesen. Update: Stellungnahme von Nvidia.

Charge: Nvidia-driver record telemetric user data, PCWELT, 07.11.2016
Durch den Grafikkartentreiber sowie das Programm Geforce Experience kann Nvidia viele Informationen zum PC auslesen.
Nutzer von Nvidia-Grafikkarten verwenden meist offizielle Treiber oder das Programm Geforce Experience . Beide Software-Bestandteile sollen unzählige Daten über den Rechner des Nutzers an Nvidia senden. Auf das Abgreifen derartiger Telemetrie-Daten wies das französische Magazin CanardPC Hardware schon vor einigen Monaten hin. Aufregung entstand jedoch erst nach der übersetzung des Artikels auf Reddit.
Demnach soll Nvidia die ID und Größe des Monitors an Tracker von Adobe und Google senden. Informationen zur verbauten CPU und installierten Laufwerken wandern hingegen an die Server des Grafikkartenherstellers. Nach der Installation von Geforce Experience wird der PC sogar komplett analysiert, inklusive Details zu Mainboard, Seriennummer, BIOS-Version, USB-Laufwerken oder RAM-Größe. Konkurrent AMD geht bei seinen Grafikkartentreibern sparsamer mit erfassten Daten um. Laut CanardPC Hardware werden nur bei der Installation wenige Informationen zum Rechner erfasst.
https://www.pcwelt.de/news/Vorwurf-Nvidia-zeichnet-Telemetrie-Daten-per-Treiber-auf-10070735.html

Howto prevent the transfer of printer-user-data, PC-WELT.de, 28.01.2017
Auch Multifunktionsdrucker sammeln eine große Menge an Nutzerdaten und geben diese an den Hersteller weiter.
https://www.pcwelt.de/tipps/Uebertragung-von-Drucker-Nutzungsdaten-verhindern-10110184.html

Sicherheit
Eavesdropping: What the printer whistle-blows about you, PC-Magazin.de, 31.08.2017
Wussten Sie, dass Drucker die eindeutige Geräteseriennummer und den Druckzeitpunkt hinterlassen? Nein? Auch einer Whistleblowerin wurde das zum Verhängnis.
Spion im Drucker: Entschlüsselungshilfe im Internet
​ Spion im Drucker: Das Geheimnis der gelben Punkte
http://www.pc-magazin.de/ratgeber/drucker-spionage-tracking-dots-mic-machine-identification-code-3198297.html

From News&Links#online_shopping

Capitalism critics and internet: How evil is Amazon?, SPIEGEL ONLINE, 05.08.2014
Der Buch-Versender Amazon will sich dem Markt unterwerfen. Widerspenstigen Verlagen und Autoren drohen Handelsboykotte. Wie konnte es passieren, dass der Handelsriese als eine Greenpeace im Internet gilt? Eine Kolumne von Jan Fleischhauer mehr... [ Forum ]

From an online book store to a billion hard company
25 Jahre Amazon: Zerstörer des Einzelhandels und Liebling der Börse
, 05.07.2019
Die Geschichte des größten Online-Händlers begann vor 25 Jahren in einer Garage in Seattle. Heute ist Amazon einer der wertvollsten Konzerne der Börse und Gründer Jeff Bezos der reichste Mensch der Welt. Doch das Unternehmen hat viele Kritiker.
https://www.stern.de/digital/online/25-jahre-amazon--vom-online-buchladen-zum-billionen-konzern-8785610.html

Demand for the destruction of Amazon, Google and Facebook, golem.de
Elizabeth Warren: Zerschlagung von Amazon, Google und Facebook gefordert. Eine der einflussreichsten Politikerinnen der USA will Amazon, Google und…
https://www.golem.de/news/elizabeth-warren-zerschlagung-von-amazon-google-und-facebook-gefordert-1903-139893.html

Hardend data protection, destruction of US-companies
Den Datenfischern die Netze kappen: Ideen gegen die Marktmacht der Plattformen
, netzpolitik.org, 04.09.2018
Während die Datenkonzerne Google und Facebook weiter auf dem Weg zu digitaler Dominanz sind, nimmt die politische Diskussion um die Begrenzung ihrer Macht an Fahrt auf. Wir haben an dieser Stelle wichtige Ideen zur Regulierung der Plattformmonopole zusammengetragen. Vom härteren Datenschutz bis zur Zerschlagung - ein anderer Umgang mit dem Datenkapitalismus ist möglich.
https://netzpolitik.org/2018/den-datenfischern-die-netze-kappen-ideen-gegen-die-marktmacht-der-plattformen/

From News&Links#MS_Windows_and_Google



Google is evil
DuckDuckGo und Startpage sind proprietäre Software. Nutzer*innen haben keine Möglichkeit zu verifizieren, ob sie wirklich nicht tracken. Man muss ihnen blind vertrauen.
DuckDuckGo und Startpage sind beide zentralisiert und werden von kommerziellen Unternehmen betrieben.
netzpolitik.org: Und MetaGer, eine weitere Meta-Suchmaschine mit Fokus auf Datenschutz und Privatsphäre, die von einem gemeinnützigen Verein in Deutschland betrieben wird?
MetaGer hat eine Datenbank, die Suchergebnisse speichert.
Google ist ein riesiges internationales Unternehmen, das Geld verdienen will, wo immer es kann, auch mit ihren privaten Daten. Es gibt viele Artikel, die erklären, was mit Google falsch läuft..
https://fuckoffgoogle.de/#google-is-evil
http://listverse.com/2017/09/24/top-10-ways-google-does-evil/
https://www.infoworld.com/article/2610434/cringely/google--evil--you-have-no-idea.html
https://thebosh.com/10-reasons-why-google-is-evil/
https://netzpolitik.org/2018/interview-searx-eine-suchmaschine-mit-datenschutz/

EU-commissionar threatens with the destruction of Microsoft, winfuture.de
Linux fördert also auch die weitere Entwicklung von Windows. shiversc: Er kann Linux mit Sicherheit gut bedienen. Somit schließt er nicht von sich…
https://winfuture.de/news-kommentare,31357.html

Does Microsoft await the company-destruction?, Golem.de
Drohne Open Source Linux Foto Android Galaxy S8Droht Microsoft die ZerschlagungVC5 Neuer Linux-Grafiktreiber für Broadcom-SoC in Arbeit
https://www.golem.de/9804/494.html

Do you vote for the destruction of Microsoft?, PC-WELT
"Linux Hacker´s Guide" und "Hacker´s Guide" sind jedem Computerfreak ein Begriff. Der Verfasser dieser beiden Bestseller… https://www.pcwelt.de/ratgeber/Bist-du-fuer-die-Zerschlagung-von-Microsoft-54581.html

2000: Gates übergibt im Januar die Microsoft-Führung an Ballmer und schafft für sich den Posten eines Chef-Software-Architekten. Im April entscheidet ein Gericht, Microsoft missbrauche eine Monopol-Position. The smashing of Microsofts gets discusssible.

There is one answer to all questions: company destruction.
And exactly this is, what we all should do against Google.


More data protection, destruction of US-companies
Den Datenfischern die Netze kappen: Ideen gegen die Marktmacht der Plattformen
, netzpolitik.org, 04.09.2018
Während die Datenkonzerne Google und Facebook weiter auf dem Weg zu digitaler Dominanz sind, nimmt die politische Diskussion um die Begrenzung ihrer Macht an Fahrt auf. Wir haben an dieser Stelle wichtige Ideen zur Regulierung der Plattformmonopole zusammengetragen. Vom härteren Datenschutz bis zur Zerschlagung - ein anderer Umgang mit dem Datenkapitalismus ist möglich.
https://netzpolitik.org/2018/den-datenfischern-die-netze-kappen-ideen-gegen-die-marktmacht-der-plattformen/

Voting of the EU-parlament about the destruction of Google inc., Tagesschau, 27.11.2014
Heute stimmt das EU-Parlament über einen Antrag zur Marktmacht von Suchmaschinen ab. Für den Internet-Giganten Google könnte das weitreichende Folgen haben: Die Rede ist von einer Aufspaltung des Konzerns.Wer bei Google das Wort "Karten" eingibt, bekommt als ersten Treffer Google Maps angezeigt - den Kartendienst, den Google selbst betreibt. Erst danach werden andere Dienste von Michelin oder Falk aufgelistet. Und wer Nachrichten-Artikel lesen oder online shoppen will, findet gleich unter dem Google-Suchfeld Links zu den Google-eigenen Portalen. Irgendwie praktisch, denn es muss ja schnell gehen. Aber auch sehr unfair, beklagen die anderen Anbieter: Google missbrauche seine Marktmacht, indem es seine eigenen Produkte im Ranking bevorzuge, sagen sie.

Facebook fdp Destruction of Facebook gets imaginable
31. März 2018 Die FDP unterstützt kartellrechtliche Überlegungen der Grünen, für große Internetkonzerne wie Facebook notfalls auch eine Zerschlagung in ...
https://www.wallstreet-online.de/nachricht/10413761-facebook-fdp-Zerschlagung-facebook-vorstellen

Facebook Gruenen Chef Robert Habeck fordert Destruction of US-companies
31. März 2018 Als Konsequenz aus dem millionenfachen Datenmissbrauch bei Facebook verlangen die Grünen eine Zerschlagung des US-Internetkonzerns.
https://www.welt.de/politik/deutschland/artic...beck-fordert-.htmlZerschlagung

Demand for the destruction of Amazon, Google and Facebook, golem.de
Elizabeth Warren: Zerschlagung von Amazon, Google und Facebook gefordert. Eine der einflussreichsten Politikerinnen der USA will Amazon, Google und…
https://www.golem.de/news/elizabeth-warren-zerschlagung-von-amazon-google-und-facebook-gefordert-1903-139893.html

Härterer Datenschutz, Zerschlagung
Den Datenfischern die Netze kappen: Ideen gegen die Marktmacht der Plattformen
, netzpolitik.org, 04.09.2018
Während die Datenkonzerne Google und Facebook weiter auf dem Weg zu digitaler Dominanz sind, nimmt die politische Diskussion um die Begrenzung ihrer Macht an Fahrt auf. Wir haben an dieser Stelle wichtige Ideen zur Regulierung der Plattformmonopole zusammengetragen. Vom härteren Datenschutz bis zur Zerschlagung - ein anderer Umgang mit dem Datenkapitalismus ist möglich.
https://netzpolitik.org/2018/den-datenfischern-die-netze-kappen-ideen-gegen-die-marktmacht-der-plattformen/

User as lab rats
How Mark Zuckerberg lead astray the US-Kongress
, netzpolitik.org, 17.04.2018
Der Facebook-Chef warf bei der Anhörung vorige Woche geschickt Nebelgranaten. Heikle Fragen zur Verwendung von Nutzerdaten blieben unbeantwortet. Der Datenschutzbeauftragte der EU wirft dem Internetkonzern indes vor, seine User in "Laborratten" zu verwandeln. Die Antwort der europäischen Politik auf den Skandal kommt aber nur langsam ins Rollen.
https://netzpolitik.org/2018/wie-mark-zuckerberg-den-us-kongress-in-die-irre-fuehrte/

Studie proves intensive Social-Media-usage by cyber criminals, trojaner-info.de, 14.06.2019
Die Studie zeigt, dass Social-Media-Plattformen inzwischen eine reale Gefahr darstellen.
Eine neue Studie hat ergeben, dass Social-Media-Plattformen in der Cyberkriminalität eine wichtige Rolle spielen und eine große Gefahr für Unternehmen darstellen. Da Social-Media-Blockaden kein realistisches Abwehrszenario sind, sollten Unternehmen Lösungen implementieren, die eine sichere Nutzung der sozialen Netze unterstützen, empfiehlt Bromium.
https://www.trojaner-info.de/business-security/aktuell/studie-belegt-intensive-social-media-nutzung-durch-cyberkriminelle.html

Destruction of facebook: Zuckerberg answers to hughes, PC-WELT.de, 13.05.2019
Zuckerberg habe unkontrollierte Macht. Es sei Zeit, Facebook zu zerschlagen. Zuckerberg antwortet auf die Vorwürfe.
https://www.pcwelt.de/news/Facebook-Mitbegruender-fordert-Zerschlagung-von-Facebook-10589651.html

The might of social networks
Facebook-co-founder wants the destruction of Facebook
, tagesschau.de, 11.05.2019
Innerhalb von zwei Monaten geht ein weiterer Facebook-Insider an die Öffentlichkeit und fordert die Zerschlagung des Konzerns. Diesmal ist es der Mitgründer, der vor Marktmacht und Einflussnahme des Giganten warnt.
https://www.tagesschau.de/wirtschaft/facebook-zerschlagung-101.html Mehr zu diesem Thema:
F8 Konferenz: Facebook reloaded, https://www.tagesschau.de/ausland/facebook-entwickler-konferenz-101.html
McNamee rechnet mit Facebook ab, 11.03.2019, https://www.tagesschau.de/ausland/facebook-kritik-mcnamee-101.html



"Last opportunity for the US-company-destruction", netzpolitik.org, 28.04.2018
Das Bundeskartellamt sah Facebooks Datensammelei aus Drittquellen zuletzt als missbräuchlich an, während Google gegen eine von der EU-Komission wegen Missbrauch der Marktmacht verhängte Strafe in Milliardenhöhe klagt. Nach Ende der Verfahren, so Knoerig, "kommen wir über die Bundesregierung womöglich zu dem Ergebnis, dass wir Kommissionen bilden, und dann können wir, wenn es denn nötig sein wird, entflechten".
Reinhard Houben (FDP) sprach sich dafür aus, die Verfahren abzuwarten und bezeichnete die Möglichkeit der Zerschlagung als "letzten Schritt". Die digitale Wirtschaft brauche "Freiraum, damit sie sich entfalten kann."
https://netzpolitik.org/2018/bundestag-ueberlegt-digitale-plattformen-zur-oeffnung-zu-verpflichten/

Facebook: FDP can imagine the destruction of Facebook
31. März 2018 Die FDP unterstützt kartellrechtliche Überlegungen der Grünen, für große Internetkonzerne wie Facebook notfalls auch eine Zerschlagung in ...
https://www.wallstreet-online.de/nachricht/10413761-facebook-fdp-zerschlagung-facebook-vorstellen

Facebook: Grünen boss Robert Habeck demands for destruction
31. März 2018 Als Konsequenz aus dem millionenfachen Datenmissbrauch bei Facebook verlangen die Grünen eine Zerschlagung des US-Internetkonzerns.
https://www.welt.de/politik/deutschland/artic...beck-fordert-Zerschlagung.html

Hamburger data protector demands for Facebook-destruction
5. Apr. 2018 Der Hamburger Datenschutzbeauftragte Johannes Caspar unterstützt politische überlegungen zu einer möglichen Zerschlagung des ..
. https://www.abendblatt.de/article213932855/Hamburger-Datenschuetzer-fuer-Facebook-Zerschlagung.html

US-government resigns from the destruction of Microsoft
6. Sept. 2001 überraschende Wendung im Monopol-Verfahren gegen Microsoft: Die US- Regierung hat sich heute gegen eine Zerschlagung des ...
https://www.heise.de/newsticker/meldung/US-Re...32.html Zerschlagung&tbo=1

US-scientist demands the destruction of Google, Facebook and Co.
[Eingetragen am 2018-05-14] ... 23. März 2018 US-Marketingprofessor Scott Galloway hat vor einer übermacht der vier Tech- Giganten Google, Amazon, Facebook und Apple gewarnt und ... https://www.derstandard.de/story/200007671614...ung-von-google-facebook-und-co

Zerschlagung von Amazon, Google und Facebook gefordert, golem.de
Elizabeth Warren: Zerschlagung von Amazon, Google und Facebook gefordert. Eine der einflussreichsten Politikerinnen der USA will Amazon, Google und…
https://www.golem.de/news/elizabeth-warren-zerschlagung-von-amazon-google-und-facebook-gefordert-1903-139893.html

Härterer Datenschutz, Zerschlagung
Den Datenfischern die Netze kappen: Ideen gegen die Marktmacht der Plattformen
, netzpolitik.org, 04.09.2018
Während die Datenkonzerne Google und Facebook weiter auf dem Weg zu digitaler Dominanz sind, nimmt die politische Diskussion um die Begrenzung ihrer Macht an Fahrt auf. Wir haben an dieser Stelle wichtige Ideen zur Regulierung der Plattformmonopole zusammengetragen. Vom härteren Datenschutz bis zur Zerschlagung - ein anderer Umgang mit dem Datenkapitalismus ist möglich.
https://netzpolitik.org/2018/den-datenfischern-die-netze-kappen-ideen-gegen-die-marktmacht-der-plattformen/

Hamburger Datenschuetzer für Facebook-Zerschlagung, abendblatt.de, 05.04.2018
Der Hamburger Datenschutzbeauftragte Johannes Caspar unterstützt politische Überlegungen zu einer möglichen Zerschlagung des Facebook ..
. https://www.abendblatt.de/article213932855/Hamburger-Datenschuetzer-fuer-Facebook-Zerschlagung.html

Tim Wu: Why Facebook should be destroyed, netzpolitik.org, 11.07.2019
Ein ehemaliger Obama-Berater fordert die Wiederbelebung eines amerikanischen Anti-Kartell-Geistes. Facebook würde durch seine Größe angreifbar, Standard Oil und AT&T wären Beispiele für gelungene Entflechtungen. Er beschuldigt Mark Zuckerberg, Instagram illegal übernommen zu haben.
https://netzpolitik.org/2019/tim-wu-warum-facebook-zerschlagen-werden-sollte/

From News&Links#MSWindows

Baltimore under attack: A Hacker hostages a town - while ransom is only the beginning for him, STERN.de, 05.06.2019
Since four weeks a hacker stops all doing in US-large city Baltimore completely - from the bill for water up to the deal of houses- nothing´s possible anymore. The meant ransom would be quit no problem. But the attacker could aim a lot more.
https://www.stern.de/digital/online/baltimore--hacker-halten-eine-stadt-als-geisel--es-geht-um-viel-geld--8741104.html

UPS
Shock!
Hacker searched just for a computer error - and killed over 140 millions by mistake!
, STERN.de, 07.06.2019
https://www.stern.de/digital/online/baltimore--hacker-halten-eine-stadt-als-geisel--es-geht-um-viel-geld--8741104.html https://www.pro-linux.de/news/1/27705/fai-ist-20-jahre-alt.html

OKSoftware::system administration
FAI became 20 years old, PRO LINUX, 09.01.2020
[...] FAI Version 1.0 was released on Dezember 20 in 1999 and presents a software for the pentiful and automized rollout for Linux-systems. This software enables the full automized installation, configuration and administration of Linux on computers and virtual environments. The systems get configured by pregiven configurations without manual administrations by the administrators, independent from configuraiton and hardware.
https://www.pro-linux.de/news/1/27705/fai-ist-20-jahre-alt.html

OKTails 4.2 improves automatic update
https://www.pro-linux.de/news/1/27707/tails-42-verbessert-das-automatische-update.html
Look for your Linux, if possible too.

OKAppArmor - broaching the computer system or kernel-security-module?, Gooken, 06.07.019
Profiles of AppArmor are: passwd, Browser, D-Bus, Netzwerk, Task-Manager (cron), dhclient, dhcp, DAPRA-portmap, tmpwatch, procmail, skype, wireshark, ftpd, mysqld, postfix, sendmail, squid, sshd, useradd, vsftpd, xinetd, fingerd, ntalkd, cupsd, xfs, ping, nvidia_modprobe, dovecot, apache2, dnsmasq, ntpd, identd, smbd, traceroute, winbindd, lessopen, klogd, avahi-daemon, ...
AppArmor works during the system boot by default for Linux like Debian Linux Tails. The boot time even more than doubles by this.
The module itself can be intergrated as a kernel security module as a kernel-boot-paramter. Pre-configured profiles can be envoked for example in /etc/rc.local.
The developer contracted with Microsoft years ago. Linus Tovalds recommends such securiy module, that can be integrated beneath Module SELinux developed by the NSA, discussed in another report we published in News&Links and japanese Tomoyo Linux (rosa, mdv).
Like all other MAC (Mandatory Access Control for the control of process interaction), AppArmor isn´t necessary to bound in "secure=none" in our kernel-bootline.
Original program description from rpmfind.net: "AppArmor is a security framework that proactively protects the operating system and applications. This package provides the libapparmor library, which contains the change_hat(2) symbol, used for sub-process confinement by AppArmor, as well as functions to parse AppArmor log messages.
Base profiles. AppArmor is a file and network mandatory access control mechanism. AppArmor confines processes to the resources allowed by the systems administrator and can constrain the scope of potential security vulnerabilities. This package is part of a suite of tools that used to be named SubDomain."
"AppArmor is security Linux kernel module similar to the SELinux but it´s supposed to be easier to setup and maintain. There are many reasons for you to disable it, primary one is that its security features can get in the way of legitimate applications operation", https://www.techytalk.info/disable-and-remove-apparmor-on-ubuntu-based-linux-distributions/
Also see our report: serious hard News-Group-discussion about NSA´s SELinux.

AppArmor is a security module for Linux. It is a Mandatory Access Control (MAC) System controlling each application and program through profiles with access rights refining the common ones. Beneath the default profiles any profiles can be created. For each profile one of three modes has to be set.
https://wiki.ubuntuusers.en/AppArmor/

Ransomware infects 11 geman hospitals, trojaner-info.de, 08.21.2019
Unternehmen sollten in den Aufbau einer "menschlichen Firewall" investieren.
Erneut scheint eine Phishing-E-Mail mit Ransomware-Anhang erfolgreich gewesen zu sein. Wieder einmal hat ein Mitarbeiter eines Trägers einer Krankenhauskette auf einen Link geklickt. Wieder war ein Social Engineering-Angriff erfolgreich. Ein Kommentar von Jelle Wieringa, Security Awareness Advocate bei KnowBe4.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/ransomware-befaellt-11-deutsche-krankenhaeuser.html

Germany, Rheinland-Pfalz and Saarland
Hacker attack into hospitals
, tagesschau.de, 07.17.2019
In Rheinland-Pfalz und dem Saarland sind mehrere Krankenhäuser des Roten Kreuzes Ziel eines Cyberangriffs geworden, zur Zeit würden Befunde wieder mit Stift und Papier vorgenommen. Seit Sonntag sind Daten nur eingeschränkt verfügbar.
https://www.swr.de/swraktuell/rheinland-pfalz/mainz/Krankenhaeuser-und-Tageskliniken-betroffen-Hackerangriff-aufs-Rote-Kreuz-in-Rheinland-Pfalz,hackerangriff-aufs-rote-kreuz-100.html

Virus protection in comparison: Test of antivirus-software: A program for free beats (quit) all the other ones, STERN.de, 31.05.2019
Trojaner, viruses and Co. make PC-users life serious hard. But which antivirus-program protects Windows best - and does it really cost? A new study by AV-test checks it out. Windows Antivirus
Which antiviurs is best for MS Windows?
Wheter for the protection against ransomware, trojans or stolen bank data: A virus protection is a must for each computer. The remaining question is: Does the preinstalled software one can get for free suffer the needs or should it get bought on its own costs? The experts from AV-test recently did test 19 security solutions for MS Windows 10 for private user and companies.
Windows Defender - as well like competitors
Suprising result: MS Windows own Windows Defender was developed consequently over the last years and beats itself very well. All in all the MS-doorman got 17,5 from 18 points. Half of a point less for the unwanted delay of twelf often used programs during their installation, but in everyday´s life this isn´t further tragical.
The test results care even more for protection than installation - and this is, where Windows Defender does the best: He got all points for it. There would have been only two false alarms during two months, what is more than acceptable.
Overview about the test results
©AV-Test
With this test result Windows Defender eye-levels with the popular antivirus proteciton Avira Antivirus. Test winner with 18 points are Bitdefender Internet Security, Kaspersky Internet Security, McAfee Internet Security and Norton Security (no ranking, just listed in alphabetic order).
Even Stiftung Warentest gets convinced
There, Windows Defender got results too. Potection against phishing is missing, but this became already part of most browser. All in all both test show: A good virus protection mustn´t cost. One more advantage: Programs from third parties need plenty of rights, in order to do their work in a correct way.
https://www.stern.de/digital/computer/antivirus-programme-im-test--windows-defender-so-gut-wie-avira-8734286.html

Uli Herrmann
How long do we have to get supervised by a torture state like rats in a laboratory?
Liegt doch auf der Hand, wer da wieder die Finger im Spiel hat.
Kotzt mich einfach an, was sich "Behörden" da rausnehmen wie selbstverständlich. Haben wir sie jemals dazu legitimiert?
25. Dezember 2014 (18:39)

mario
Antworten
verdammt gute frage!
was noch viel schlimmer ist: ...
https://tarnkappe.info/tor-wurden-20-exit-nodes-beschlagnahmt/

From News&Links#Facebook

User like rats from labs (laboratories)
...
, netzpolitik.org, 17.04.2018
[...] Heikle Fragen zur Verwendung von Nutzerdaten blieben unbeantwortet. Der Datenschutzbeauftragte der EU wirft dem Internetkonzern indes vor, seine User in "Laborratten" zu verwandeln. Die Antwort der europäischen Politik auf den Skandal kommt aber nur langsam ins Rollen.

User like rats from labs
Wie Mark Zuckerberg den US-Kongress in die Irre führte
, netzpolitik.org, 17.04.2018
Der Facebook-Chef warf bei der Anhörung vorige Woche geschickt Nebelgranaten. Heikle Fragen zur Verwendung von Nutzerdaten blieben unbeantwortet. Der Datenschutzbeauftragte der EU wirft dem Internetkonzern indes vor, seine User in "Laborratten" zu verwandeln. Die Antwort der europäischen Politik auf den Skandal kommt aber nur langsam ins Rollen.
https://netzpolitik.org/2018/wie-mark-zuckerberg-den-us-kongress-in-die-irre-fuehrte/

Tester in year 2016: Around 5500 connection buildup-attempts into internet per day of MS Windows
In wenigen Stunden schnell mehrere hundert Kontakte zu Internetservern
Windows-Datenschutz auf BSI-Level - so gehts
, PC-WELT.de, 17.04.2019
Seit der Einführung von Windows 10 wird das Betriebssystem für seinen mangelnden Datenschutz kritisiert: Es werden zu viele Daten ins Internet gesendet. Nun hat das BSI nachgemessen und aufgedeckt, wie Sie den Datenversand komplett abstellen können.
Kritik am Datenschutz von Windows 10 hagelt es von Sicherheitsexperten, Bloggern und Firmen. Ein PC mit Windows 10, der aktuell keine Aufgabe zu erledigen hat, nimmt dennoch laufend Verbindungen zu Servern im Internet auf. Die Kritik ist nicht neu. Schon Windows XP wurde für seine sogenannte "Call-Home"-Funktionen kritisiert. Damals im Jahr 2001 waren einige Programme, etwa der Windows Media Player, für den unangemeldeten Kontakt ins Internet verantwortlich.
Forstetzung des Berichts mit zugehörigen Sicherheits-Einstellungen: News&Links#MSWindows und
https://www.pcwelt.de/a/bundesamt-fuer-it-sicherheit-bsi-untersucht-sicherheit-von-windows-10,3463082

Malware record 2019: trojaner Emotet consists of more than 30.000 different variants, trojaner-info.de, 16.07.2019
Im ersten Halbjahr 2019 hat G DATA bereits mehr Versionen des Trojaners Emotet entdeckt, als im gesamten Jahr 2018.
Der Trojaner Emotet ist eine der häufigsten und gefährlichsten Bedrohungen für Unternehmen. Die Allzweckwaffe des Cybercrime wird von Kriminellen meist zur gezielten Spionage in Unternehmen genutzt. Nach der initialen Infektion kommt dann weitere Malware wie Trickbot oder die Ransomware Ryuk zum Einsatz. Im ersten Halbjahr 2019 registrierten die Sicherheitsexperten von G DATA bereits mehr als 33.000 Varianten der Schadsoftware - mehr als im gesamten Jahr 2018.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/malware-rekord-2019-trojaner-emotet-hat-bereits-ueber-30-000-varianten.html

Malware-campaign: Microsoft warns against Astaroth, trojaner-info.de, 16.07.2019
Die Astaroth-Kampagne nutzt eine dateilosen Ausführungs- und Live-Off-the-Land-Technik. Dadurch sind Angriffe nur sehr schwer zu entdecken.
Das Microsoft-Sicherheitsteam hat aktuell eine Warnung vor laufenden Malware-Kampagnen herausgegeben, die die Astaroth-Malware mit Hilfe von Fileless und Living-Off-the-Land-Techniken verbreiten, die es für traditionelle Antivirenlösungen schwieriger machen, die laufenden Angriffe zu erkennen.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/malware-kampagne-microsoft-warnt-vor-astaroth.html

Mozilla blocks state-nation-hacker, trojaner-info.de, 15.07.2019
Mozilla konstatierte: DarkMatter stelle "eine signifikante Bedrohung" für die Sicherheit der User dar.
Das laut Firmenangaben in der IT-Security tätige Unternehmen DarkMatter aus den Vereinigten Arabischen Emiraten hat zwei Gesichter. Jenes des rasant wachsenden IT-Sicherheitsanbieters, der etwa als Zertifikatdienstleister für ein sicheres Internet sorgen will. Und jenes des Arbeitgebers ehemaliger NSA-Agenten, der Regierungen Spionagedienste anbietet und Dissidenten ausspäht.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/mozilla-blockt-staats-hacker.html

MacOS: 10-times more threatened by malware, trojaner-info.de, 16.07.2019
SentinelOne erkannte, dass Cyberkriminelle die Mac-Plattform von Apple vermehrt fokussieren und auch immer häufiger Erfolg haben.
Trotz aller gegenteiligen Behauptungen, auch Mac-User sind nicht immun gegen Kompromittierungen oder gefährliche Infektionen: Allein in den ersten sechs Monaten des Jahres 2019 identifizierten die Security-Forscher von SentinelOne mindestens zehn verschiedene Arten von Malware, die speziell auf MacOS abzielen, wie infopoint-security.de dazu ausführte.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/macos-10-fach-von-malware-bedroht.html

The best tools for more data control of apps, trojaner-info.de, 17.07.2019
https://www.trojaner-info.de/apps-security/articles/apps-kontrolle-und-schutz-pers%C3%B6nliche-daten.html

Tests in year 2016: Around 5500 connection-build-up-attempts per day of MS Windows 10 into the internet
Within a server-few hours, several hundred of connections to internet server get established
Windows-Datenschutz upon BSI-Level - howto
, PC-WELT.de, 17.04.2019
More from this report with the needed security settings: see News&Links#MSWindows and
https://www.pcwelt.de/a/bundesamt-fuer-it-sicherheit-bsi-untersucht-sicherheit-von-windows-10,3463082

Privacy investigation
More than 1300 Android-Apps secretly do collect private data - even if you do not allow it
, STERN.de, 11.07.2019
Sicherheitsforscher demonstrierten, dass mehr als 1000 Android-Apps unerlaubt personenbezogene Daten speichern. Die App-Anbieter hebelten die Sicherheitsmaßnahmen mit kreativen Methoden aus.
https://www.stern.de/digital/smartphones/mehr-als-1300-android-apps-sammeln-private-daten---sogar-dann--wenn-man-es-verbietet-8793248.html

1325 Android-Apps do bypass access rights, PC-WELT.de, 09.07.2019
https://www.pcwelt.de/news/Ueber-1000-Android-Apps-umgehen-Zugriffs-Berechtigungen-sammeln-Daten-10625000.html

Android-Apps have got the tracker-pandemic-epidemic, PC-WELT.de, 27.03.2019
https://www.pcwelt.de/news/Android-Apps-haben-die-Tracker-Seuche-10562857.html

China: Spy-App do secrectly sniff country enterings, netzpolitik.org, 03.07.2019
An den Grenzen der chinesischen Region Xinjiang werden die Handys von Einreisenden von einer App ausspioniert. Die sucht nach IS-Propagandavideos, aber genauso nach Fotos des Dalai Lama. Auch Kontakte, Anruflisten und Kalender werden ausgelesen. Erste Hersteller von Antiviren-Software haben reagiert.
https://netzpolitik.org/2019/china-spionage-app-spaeht-heimlich-einreisende-aus/

Read why it is so difficult to do something against spy-apps by law, netzpolitik.org, 26.06.2019
https://netzpolitik.org/2019/warum-es-so-schwer-ist-rechtlich-gegen-spionage-apps-vorzugehen/

Putin warns against the Deep State Germany in the USA
https://brd-schwindel.ru/putin-warnt-vor-dem-deep-state-in-den-usa-diese-leute-sind-maechtig-und-stark/

Inanition 2.0: Germans are often overextended with the protection of their privacy in the internet, trojaner-info.de, 28.05.2019
39 percent of Germans do not know, how to secure their data.
Many user feed the internet lightheaded with private data to advance or they do it out of resignation or with the belief, that is nevertheless not possible to protect their own privacy online. At the same time permanently new weak access points occur that are known well - despite the EU-data-statutory order (DSGVO), that has been taken into effect for quit a year.
https://www.trojaner-info.de/sicher-anonym-im-internet/aktuelles/ermuedung-2-0-deutsche-sind-oft-mit-dem-schutz-ihrer-privatsphaere-im-internet-ueberfordert.html

Trojaner "FinSpy" cracks WhatsApp, Signal, Threema and Telegram, trojaner-info.de, 16.07.2019
Der Trojaner "FinSpy", kann in einer neuen Version nahezu sämtliche Messenger knacken und noch viel mehr!
Sicherheitsexperten von Kaspersky sind auf eine neue Version gestoßen, welche nicht nur die Nachrichten auf diversen Messengern protokolliert, sondern auch Kamera und Mikrofon aktivieren kann, auch die Kontake, SMS-Nachrichten, E-Mails, Kalender, GPS-Standort, Fotos, Dateien im Speicher und Sprachnachrichten können überwacht werden, warnt Mimikama.
https://www.trojaner-info.de/mobile-security/aktuell/trojaner-finspy-knackt-whatsapp-signal-threema-und-telegram.html

WhatsApp security and data protection -- two different universes?, trojaner-info.de, gelesen am 17.07.2019
https://www.trojaner-info.de/mobile-security/aktuell/datenschutz-ade-whatsapp-teilt-facebook-telefonnummern-mit.html
https://www.trojaner-info.de/mobile-security/aktuell/vorsicht-bei-whatsapp-aktivierung-von-videoachats-ist-eine-trojaner-falle.html

Amazon-Experiment: Was der Konzern mit jedem Klick erfährt, SPIEGEL ONLINE, 29.04.2018
Wissen Sie noch, wonach Sie heute vor einem Jahr bei Amazon gesucht haben? Die Netzaktivistin Katharina Nocun hat ihre Nutzerdaten angefordert - und erfuhr, wie viel der Konzern über seine Kunden weiß.
Fortsetzung des Berichts in Kürze!

Superscoring: Wie wertvoll sind Sie für die Gesellschaft?, PC-WELT.de, 25.09.2019
Eine neue Herausforderung für die Bürger in China: ein soziales Bewertungs- und Punktesystem, das ihnen ihren Platz - und Erfolg - in der Gesellschaft zuweist. Oder eben nicht. Wie weit sind wir noch davon entfernt? Und wer kümmert sich hier noch um die Würde des Menschen? Fragen dazu beantwortet Professor Dirk Helbing von der ETH Zürich.
https://www.pcwelt.de/ratgeber/Superscoring-Wie-wertvoll-sind-Sie-fuer-die-Gesellschaft-10633488.html

Some Germans want Social Scoring á la China, PC-WELT.de, 04.02.2019
Die meisten Deutschen, aber bei weitem nicht alle, finden digitale Systeme zur sozialen Kontrolle der Bürger schlecht, zeigt eine repräsentative Studie. Die Haltung zum Thema Überwachung hängt von der generellen Lebenseinstellung ab.
Fortsetzung des Berichts: siehe unten

Bürger-Score
The total surveillance - China wants to distribute grades for all their citizens
, STERN.de, 17.04.2018
In China wird jeder Bürger in Zukunft bewertet. Pornos sind schlecht für den Bürgerwert, Biogemüse gibt Pluspunkte. Die guten Chinesen erhalten Kredite und Bonuszahlungen, die schlechten können keine Flugtickets kaufen. So sieht die Erziehungsdiktatur aus.
https://www.stern.de/digital/technik/china--totale-ueberwachung---so-sollen-alle-buerger-bewertet-werden-7943770.html

High discrimination potential of automized decisions, netzpolitik.org, 04.04.2019
In vielen gesellschaftlichen Bereichen werden Entscheidungen bereits von Algorithmen getroffen. Doch das ist mit Risiken für den Menschen verbunden. Mit dem "Atlas der Automatisierung" möchte AlgorithmWatch zu mehr Transparenz in der automatisierten Entscheidungsfindung beitragen.
https://netzpolitik.org/2019/hohes-diskriminierungspotential-bei-automatisierten-entscheidungen/

Quarrel about AMS-Algorithmus goes into the next round, netzpolitik.org, 10.10.2019
In Österreich hält der politische Streit um den Einsatz eines algorithmischen Systems zur Sortierung von Arbeitslosen weiter an. Jetzt haben Forscher*innen das System aus wissenschaftlicher Sicht scharf kritisiert. Der Fall könnte zum Beispiel dafür werden, wie die öffentliche Hand mit der Technologie nicht umgehen sollte.
https://netzpolitik.org/2019/streit-um-den-ams-algorithmus-geht-in-die-naechste-runde/

Chinas Social Credit-point-system does function: 17,5 Millionen chinese are not allowed to buy a fligh ticket, brd-schwindel.ru, 06.03.2019
Der Ausbau des chinesischen Social Credit-Systems macht zügige Fortschritte. Schon ab 2020 soll jeder der 1,3 Miliarden Chinesen über eine Smartphone-App seinen eigenen Kontostand abrufen und sich so darüber informieren können, ob er ein mustergültiger Bürger ist oder nicht. Im letzteren Fall muß er damit rechnen, zum Beispiel keine Flug- oder Eisenbahntickets kaufen zu können.
http://brd-schwindel.ru/chinas-social-credit-punkteystem-funktioniert-175-millionen-chinesen-durften-2018-kein-flugticket-kaufen/

NPP 178: When algorithms discriminate unintentionally, netzpolitik.org, 20.07.2019
Kein Kredit, weil du nicht oft genug bei Mama anrufst? Keine Versicherung, weil du in der falschen Facebook-Gruppe hängst? Gegen Diskriminierung aufgrund von Geschlecht, Herkunft, Alter oder Religion gibt es Gesetze. Aber was passiert, wenn Algorithmen in ihren Vorhersagen unabsichtlich diskriminieren? Wir sprachen mit Daniel Schwarcz über Gleichbehandlung im Zeitalter von Künstlicher Intelligenz.
... was ist mit all den unabsichtlichen Fällen von Diskriminierung, die auftreten können, wenn Maschinen Entscheidungen über Menschen treffen? Wenn etwa der Algorithmus einer Versicherung beim Durchkämmen von Tausenden Datenpunkten als Muster entdeckt, dass Antragsteller in einer bestimmten Facebook-Gruppe wahrscheinlicher Krebs bekommen werden? Oder ein Bewerbungssystem Frauen systematisch aussortiert, weil diese in der Vergangenheit schon schlechte Chancen im Unternehmen hatten? "Proxy Discrimination" nennt sich dieses Problem: Stellvertretend für eine unbekannte Variable - Geschlecht, Religion oder genetische Veranlagung - sucht sich das System einen anderen Indikator, um Wahrscheinlichkeiten zu berechnen - einen Proxy eben. Die Menschen, die diese Systeme einsetzten, bemerken das oft nicht mal.
https://netzpolitik.org/2019/npp-178-wenn-algorithmen-unabsichtlich-diskriminieren/

Zalando-Shop
Surveillance of the workplace
Data protectors investigate coworkers of Zalando
, netzpolitik.org, 22.11.2019
Beim größten deutschen Online-Mode-Händler müssen sich Beschäftigte gegenseitig in einer App bewerten. Das Feedback bestimmt Gehalt und Aufstiegschancen mit. Die Berliner Datenschutzbehörde nimmt das nun unter die Lupe.
https://netzpolitik.org/2019/datenschuetzer-pruefen-mitarbeiter-scoring-bei-zalando/

China Cables
Oppression per algorithm
, netzpolitik.org, 27.11.2019
Geheime Dokumente zeigen, wie die chinesische Regierung mit der Hilfe von Datenbanken und Algorithmen Millionen Menschen überwacht und einsperrt. Wir fassen die wichtigsten Erkenntnisse zusammen.
https://netzpolitik.org/2019/unterdrueckung-per-algorithmus/

Digital surveillance
Bürgerscore - 13 Millionen Chinesen leben als neue Aussätzige
, 27.04.2019
Wer in China auf der Liste der diskreditierten Personen landet, fristet ein Leben am Rande der Gesellschaft. Er darf weder Flugzeug noch schnelle Bahnverbindungen nutzen. Am Telefon warnt ein spezieller Klingelton vor den "unwerten" Bürgern.
https://www.stern.de/digital/technik/china--buergerscore---13-millionen-chinesen-leben-als-neue-aussaetzige-8684632.html

OKAttention, data collectors! Howto protect your privacy, PC-WELT.de, 31.05.2020
There are only a few information needed to create a surpprising detailed user profile. Dabei gilt zu beachten: Es geht nicht nur um das, was Sie von sich aus preisgeben. Es geht auch um das, was Computer darüber hinaus über Sie verraten.
Die meisten Menschen unterschätzen vollkommen, was Datensammler heute über sie wissen. Dabei umfasst ein persönliches Profil bei den Datenkraken oft weit über 250 Eigenschaften. Die Aufgabe eines solchen Profils ist es, die ökonomische "Nutzbarkeit" der Person offen zu legen. In der Folge erhalten manche Leute keine Krankenzusatzversicherung oder müssen für ihren Urlaub deutlich mehr bezahlen.
In Sicherheit kann sich niemand wiegen, denn zum einen werden die Daten sowohl online wie auch offline erhoben. Zum anderen gibt es keine guten Kontrollmöglichkeiten. Es ist möglich, dass ein Datensammler ein komplett falsches Profil von Ihnen führt. Im positiven Fall heißt das, dass Sie für einen Flug weniger bezahlen müssen. Es kann aber auch bedeuten, dass Sie keinen Kredit erhalten.
Datensammler
Tracking im Internet: Diese Firmen sehen am meisten
Die Tabelle zeigt, wie viel Internetverkehr einschlägige Firmen tracken. Google auf Platz eins kann mehr als 80 Prozent des Webs überwachen. Facebook und Amazon folgen auf Platz zwei und drei.
Wer das Internet nutzt, hinterlässt Spuren. Dazu zählen etwa besuchte Websites, gelesene Artikel, gekaufte Medikamente und vieles mehr. Jede einzelne Spur scheint zunächst unbedeutend und ist meist auch nicht zuzuordnen. Doch wenn es einer Firma gelingt, möglichst viele dieser Spuren aufzulesen und zu einem Profi zusammenzufügen, erhält sie ein umfassendes Bild.
Eine der ersten Fragen lautet also: Welche Firmen können Ihre Datenspuren im Internet einsammeln? Die Antwort darauf hat die Firma Cliqz gegeben. Sie hat die Daten des Cookie-Blockers Ghostery ausgewertet und festgestellt: Über 80 Prozent des Webs wird von Google-Trackern überwacht. Auf Platz zwei landet Facebook, das 27 Prozent des Web überwachen kann. Dahinter liegt Amazon mit noch 18 Prozent (siehe Grafik). Die komplette Liste finden Sie hier: https://whotracks.me/companies/reach-chart.html
Zwar liegt Facebook weit hinter Google, dafür kennt das soziale Netzwerk von den meisten Nutzern sehr persönliche Details und kann auch mit weniger Tracking-Abdeckung erschreckend umfassende Profile über seine Nutzer anlegen. Das gilt übrigens auch für Amazon, das aus dem Kaufverhalten tiefe Einblicke in das Leben seiner Kunden erhält.
Die Website Whotracks.me zeigt, welches die häufigsten Tracker im Internet sind. Auf den ersten Plätzen finden sich nur Tracker von Google. Erst auf Platz fünf folgt der erste Tracker von Facebook.
Wer wissen möchte, welche 1000 Tracker am häufigsten eingesetzt werden, sieht sich diese Liste an. Auf Platz eins steht hier Google Analytics. Ein Tracker, den viele Websites einbauen, um Infos über ihre Besucher zu erhalten. Diese Infos wandern aber nicht nur an die Website-Betreiber, sondern auch an Google. Sie müssen also eine Website nicht googeln, um Google zu verraten, wo Sie surfen. Auch wenn Sie eine Site direkt ansteuern oder eine andere Suchmaschine nutzen, erfährt Google davon.
Facebook trackt Surfer außerhalb des sozialen Netzwerks mit seinen Like- und Share-Buttons (sogenannte Social-Plug-ins). Das heißt: Allein der Aufruf einer Website mit dem Gefällt-mir-Button verrät Facebook, dass Sie diese Seite besucht haben.
Diese Firmen wissen noch mehr als Google & Co.
Google, Facebook & Co. wissen unfassbar viel über die meisten Internetnutzer. Doch es gibt Firmen, die vermutlich noch mehr über uns wissen. Es sind sogenannte Datenbroker, also Datenhändler. Es gibt sie schon länger als das Internet. Sie sammeln Daten entsprechend nicht nur im Internet, sondern auch in der Offline-Welt, etwa von Ladengeschäften oder aus den öffentlichen Registern von städtischen oder staatlichen Einrichtungen. Sie ergänzen diese Daten, indem sie weitere Details bei anderen Datenbrokern zukaufen. Laut einem Bericht des Mitteldeutschen Rundfunks sollen rund 1000 Unternehmen auf dem deutschen Markt mit Adressen und anderen personenbezogenen Daten handeln. Google ist also nicht alleine. Große Datenbroker in Deutschland sind etwa die Firmen Acxiom, AZ Direct, Experian und Deutsche Post.

Die Datenbroker erstellen sehr detaillierte Profile von Menschen. Sie haben nicht nur Informationen über unser Alter, Geschlecht, Adresse oder Familienstand, sondern auch über Herkunft, Gewicht, Größe, Bildungsniveau, politische Gesinnung, Vorlieben und Geschmack, Einkaufsgewohnheiten, Urlaubspläne, gesundheitliche Probleme und Krankheiten, Details zu Beruf, Konkursen und Finanzen. Die Firmen werben damit, dass sie über 250 Merkmale zu einer Person besitzen. Doch das ist noch nicht das Ende der Fahnenstange. Zu diesen Merkmalen gibt es hunderte genauere Ausprägungen, die ein Profil weiter vervollständigen. So kann zum Merkmal "konsumfreudig" auch noch die Info "Spontankäufer" hinzukommen oder zum Vornamen einer Person die vermutliche Herkunft. Im Bereich Versicherung gibt es Merkmale wie "überforderter Unterstützungssucher" oder "skeptisch Gleichgültiger".
Die Profile sind nicht nur detailliert, die Datenbroker besitzen sie zudem zu den meisten Menschen in Deutschland. Der Broker AZ Direct von Bertelsmann gibt etwa an, Profildaten von über 70 Millionen Personen, 41 Millionen Haushalten und 21 Millionen Gebäuden zu kennen. Allein die bewohnte Gebäudeart, etwa Plattenbau oder Eigenheim, hat in einem Profil sehr hohe Bedeutung.
Datenbroker wie Acxiom speichern hunderte Informationen zu einem Profil. Im Bereich Versicherung gibt es zum Beispiel die Merkmale "überforderter Unterstützungssucher" oder "skeptisch Gleichgültiger".
Vor einigen Jahren hat die amerikanische Verbraucherschutzbehörde (Federal Trade Commission, FTC) die neun größten Datenbroker in den USA unter die Lupe genommen . In ihrem Bericht haben sie die rund 200 Merkmale der Profile aufgeführt, die diese Broker in ihren Datenbanken führen. Ein Blick auf die Liste lohnt sich, um ein besseres Gefühl für die Datensammlung zu bekommen. Hier eine kleine Kostprobe: In der Rubrik Wohnen stehen etwa die Merkmale "Anzahl der Zimmer", "Garage vorhanden", "Kamin vorhanden" sowie 20 weitere Punkte. In der Rubrik Kaufverhalten finden sich Punkte wie "Datum des letzten Online-Kaufs", "Datum des letzten Offline- Kaufs", "Art der gekauften Lebensmittel", "Bezahlmethode" und über 25 weitere Punkte.
Es gibt keinen Hinweis darauf, dass die Internetriesen Google, Facebook & Co. weniger detaillierte Profile bilden als die klassischen Datenbroker. Auch Google und Facebook besitzen Unmengen privater Details über ihre Nutzer. Google etwa weiß, welche Webseiten Sie besuchen, und zieht daraus Schlüsse, welche Themen Sie interessieren, etwa Tipps bei Rückenschmerzen, News zu verbesserten Antiallergiemitteln, Infos zum Arbeitsrecht. Facebook kennt ebenfalls viele Webseiten, die Sie besuchen, und hat zudem noch die Infos aus seinem sozialen Netzwerk – etwa, welche Themen Sie kommentieren, welche Sie mit einem Gefälltmir versehen und welchen Gruppen Sie beitreten. Zusätzlich haben die beiden Internetfirmen meist auch noch einen guten Überblick, wer mit wem bekannt und befreundet ist. Das lässt in vielen Fällen interessante Rückschlüsse zu.
Dank der DSGVO haben Sie das Recht, Ihr Profil einzusehen. Viele Firmen haben sich mittlerweile entsprechend vorbereitet und bieten für dieses Auskunftsrecht Online-Formulare an.
Bei Facebook finden Sie den Antrag auf Einsicht in Ihre Daten etwa unter "Pfeil-Symbol –› Einstellungen –› Deine Facebook-Informationen –› Deine Informationen herunterladen". Es dauert einige Minuten, bis Sie eine Datei mit Ihrem Profil herunterladen können. Ein Blick lohnt sich gerade dann, wenn Sie glauben, nur wenig von sich in Facebook preiszugeben. Kontrollieren Sie zum Beispiel den Eintrag "Deine Adressbücher". Es kommt oft vor, dass sich Facebook Ihr komplettes Adressbuch geladen hat, auch wenn Sie glauben, das nie autorisiert zu haben. Bei Google können Sie Ihr Profil über die Website https://takeout.google.com/settings/takeout?pli=1 anfordern.
Datenbroker: Bei Facebook, Google & Co. haben Sie als Nutzer der Dienste eine Verbindung zu diesen. So ist es naheliegend, dass Sie das Auskunftsrecht laut DSGVO für sich in Anspruch nehmen können. Wir wollten aber auch wissen, ob der Auskunftsanspruch auch gegenüber Datenbrokern, also Firmen wie AZ Direct oder Acxiom, gilt. Dazu meint der Rechtsanwalt Christian Solmecke von der Kölner Medienrechtskanzlei Wilde Beuger Solmecke : "Ja, in der Tat gilt der Auskunftsanspruch nach Art. 15 DSGVO auch gegenüber Datenbrokern. Der Anspruch besteht unabhängig davon, ob zwischen dem Broker und der betroffenen Person eine geschäftliche Verbindung besteht, jedoch müssen die Datensammler nachweisen können, inwiefern eine Einwilligung in die Erhebung der Daten vorliegt. Sofern der Auskunftsanspruch geltend gemacht wird, muss das Unternehmen umfassend darüber Auskunft erteilen, woher diese Daten stammen, zu welchem Zweck sie verarbeitet werden und gegenüber wem die Daten offengelegt wurden."
Sie können sich also auch an diese Firmen wenden. Beim Datenbroker AZ Direct geht das per Mail über die Website www.az-direct.com/site/datenschutz-dialogmarketing . Acxiom stellt auf www.acxiom.de/verbraucher anfragen ein Formular zur Verfügung, mit dessen Hilfe Verbraucher Auskunft über ihre gespeicherten Daten verlangen können. Die Firmen haben einen Monat Zeit, auf Ihre Anfrage zu reagieren. Die Auskunft hat laut DSGVO Art. 15, Abs 3, kostenlos zu geschehen.
KI und Big Data
Ihr Profil bei den Datensammlern, so umfangreich es auch sein mag, ist aber nur der Grundstein, um Sie völlig in einen gläsernen Menschen oder zumindest einen gläsernen Konsumenten zu verwandeln. Denn mit KI und Big Data können die Datensammler noch weit mehr über Sie in Erfahrung bringen. Es geht also nicht nur um das, was Sie von sich preisgeben, es geht auch darum, was Computer darüber hinaus über Sie aussagen können.
Ein Beispiel für die Bilderkennung mittels KI
Ein Automobilhersteller möchte bei Facebook Werbung schalten. Natürlich soll die Werbung nur bei Leuten erscheinen, die sich das Auto auch leisten können. Zudem soll die Werbung primär dann erscheinen, wenn die Nutzer gerade aus dem Urlaub wiedergekommen sind. Denn laut einiger Psychologen soll dann die Kaufbereitschaft für eine so große Anschaffung wie ein Auto besonders hoch sein. Facebook kann diesen Wunsch leicht erfüllen. Entweder verraten die Nutzer ihren Urlaubsaufenthalt durch eine Statusmeldung selber. Oder Facebook wertet die Geodaten der IP-Adresse oder des verwendeten WLANs aus. Für typische Urlaubsregionen klappt das sehr gut. Aber auch ohne Geodaten errät Facebook Ihren Urlaub. Es analysiert einfach die Fotos, die Sie von sich oder Ihrer Familie hochladen. Erkennt der KI-Algorithmus eine schöne neue Sonnenbräune, waren Sie sehr wahrscheinlich im Urlaub. Denn dass Sie kein Sonnenstudiogänger sind, weiß Facebook ebenfalls mit hoher Wahrscheinlichkeit.
Big Data verrät noch viel mehr über Sie
Big Data bringt in einem Ausmaß Details hervor, das man kaum glauben kann. Big Data heißt: Facebook kennt 50 Details über Sie und kann Sie deshalb in eine Gruppe von Nutzern einordnen, die ebenfalls diese 50 Details besitzen. Einige der Nutzer haben aber weitere Details über sich verraten. Die Wahrscheinlichkeit ist nun hoch, dass diese Details auch auf Sie zutreffen. Bereits im Jahr 2013 hatte die Wissenschaftlerin Jennifer Goldbeck ermittelt, dass man anhand eines Facebook-Profils weiß, ob die Person ein Alkoholproblem hat, ein guter Teamspieler ist oder schwanger – und alles ohne direkte Hinweise.
Bilderkennung und Künstliche Intelligenz
Die aktuellen Fortschritte in der Bilderkennung mittels KI verschärfen etliche Datenschutzprobleme noch. Laut einer Studie der Universität Stanford kann ein KI-Programm nach der Analyse nur eines Fotos mit 80-prozentiger Wahrscheinlichkeit sagen, ob die gezeigte Person homosexuell ist. Mit fünf Fotos steigt die Genauigkeit auf 91 Prozent. Ein Datenprofil zu dieser Person ist nicht nötig. Die Fotos genügen. Für Betroffene kann das ein großes Problem sein, sobald sie zum Beispiel in intolerante Staaten reisen. Datensammler können also Aussagen über Sie treffen, die weit über das gespeicherte Datenprofil hinausgehen.
Wichtig ist: Von diesen weitergehenden Aussagen über Sie werden Sie vermutlich nichts in dem Profil finden, das Sie mit Ihrem Auskunftsrecht erhalten. Denn diese Aussagen können die Datensammler temporär generieren. Sie tun dies zum Beispiel nur dann, wenn sie die Infos verkaufen können, etwa weil ein Werbekunde danach fragt.
Die Folgen
Teure Konsequenzen aus der Profilbildung
Der Sicherheitsspezialist Bullguard hat die Folgen der Datensammelei untersucht und nennt unter anderem diese Probleme: Wer des Öfteren teure Hotels oder Flüge gebucht hat, bekommt künftig bei der Online-Buchung immer einen höheren Preis angezeigt. Reiseportale zeigen Nutzern mit Apple-Rechnern höhere Preise an. Und schließlich bekommt man als Internetnutzer überwiegend Werbung für die Produkte angezeigt, die angeblich zum Profil passen sollen. Wenn die Werbeindustrie zum Beispiel glaubt, man suche eine neue Waschmaschine, wird man mehrere Wochen mit Waschmaschinenwerbung bombardiert.
Relevant: Die besten VPN-Dienste 2019 im Vergleich, https://www.pcwelt.de/ratgeber/Die-besten-VPN-Dienste-2020-im-Vergleich-10378281.html
Auch in der Offline-Welt hat ein Profil negative Folgen
Der Datenschutz-Browser Cliqz verhindert mit der Erweiterung Ghostery das Tracking von Websites. Außerdem bietet er eine eigene, auf Datenschutz ausgelegte Suchmaschine.
Die teuren und unangenehmen Folgen eines Profils spürt man auch in der Offline-Welt. So erleben immer mehr gesetzlich Krankenversicherte, dass sie keine sehr gute Zahnzusatzversicherung bekommen. Die Versicherungen lehnen den Interessenten als Kunden einfach ab. Das geschieht bei Interessenten, die vermutlich schlechte Zähne haben und damit hohe Kosten für sie verursachen. Offiziell begründen die Versicherungen eine solche Ablehnung mit dem Befund eines Zahnarztes. Doch mit hoher Wahrscheinlichkeit wird die Versicherung weitere Faktoren bei einem Vertragsangebot berücksichtigen. Vor allem Raucher verursachen hohe Kosten beim Zahnarzt. Entsprechend unbeliebt sind sie bei Versicherungen. Auch bei anderen Versicherungsarten kann es Probleme geben. So soll laut Bullgard schon die Recherche nach Herzkrankheiten oder Rückenproblemen zu einer Verschlechterung bei den Versicherungsbedingungen führen können. Ein ungünstiges Datenprofil kann sich nicht zuletzt auch bei Bankkrediten negativ auswirken. Beruf, Dauer der Beschäftigung, Einkommenshöhe und Rücklagen sind die klassischen Kriterien bei der Kreditvergabe, doch längst nicht mehr die einzigen. In wessen Profil die Eigenschaft "Konsumfreudig" und "Neigt zu Spontankäufen.
Schutz vor Datensammlern
Einen kompletten Schutz gegen Datensammler gibt es nicht. Am ehesten hilft es, mit seinen Daten zu geizen. In der Offline-Welt bedeutet das, mit Bargeld zu zahlen, keine Punktekarten wie Payback zu nutzen und natürlich den Händlern keine persönlichen Daten zu geben. In der Online-Welt bedeutet es, die großen Datensammlern Google und Facebook möglichst zu meiden.
https://www.pcwelt.de/ratgeber/Datenschutz-So-schuetzen-Sie-Ihre-Privatsphaere-im-Web-57287.html

Experts demand more transparency of consumer-scores, netzpolitik.org, 05.11.2018
Wie kommt eigentlich der SCHUFA-Score zustande, und was sagt er über uns aus? Auf Basis intransparenter Verbraucher-Scores werden wir in immer mehr Lebensbereichen bemessen und beurteilt - mit und ohne unser Wissen. Das muss sich ändern, fordert ein Beratungsgremium für Verbraucherfragen in seinem Gutachten für das Justizministerium.
https://netzpolitik.org/2018/sachverstaendigenrat-fordert-mehr-transparenz-fuer-verbraucher-scores/

Von News&Links#bank-scandal

Massive complaints for years against: Deutsche Bahn, Deutsche Telekom, Deutsche Bank, Deutsche Behörden, Deutsche Polizei, ... Bei jeder Schweinerei ist die Deutsche Bank dabei, tagesschau.de, 2016
Landeskonstellation aus Bismark und Wilhelm II., 50% Katholiken und 50 % Protestanten, 7 Millionen Handlanger, zwei verlorene Weltkriege, vier Alliiertensektoren, fehlende Landes-Souverenität, Bund aus 16 Fürstentümern und Freistaaten, Mischung aus Banken, Monarchie und Demokratie, EU-Vorherrschaft, ...

German bank is involved in around 1200 processes by law, tagesschau.de, 22.05.2014
The bank scandal: please click here

Visualized: PayPal shares its data with these 600 companies, netzpolitik.org, 23.01.2018
Seit dem 1. Januar 2018 gewährt der Online-Zahlungsdienst PayPal Einblick in die Liste der Firmen, mit denen er "möglicherweise" persönliche Informationen seiner Nutzer teilt. Rebecca Ricks hat die sage und schreibe 600 Firmen visualisiert.
https://netzpolitik.org/2018/visualisiert-mit-diesen-600-firmen-teilt-paypal-deine-daten/

Die Verlegerverleger: Google, Apple und Facebook wollen die Paywall kapern, netzpolitik.org, 18.04.2019
Große Digitalkonzerne wollen die zentrale Schnittstelle zu bezahltem Journalismus im Netz werden. Beim Journalismusfestival in Perugia buhlen sie um die Gunst der Branche. Noch zieren sich die Verlage etwas, doch Gegenstrategien haben sie kaum. Kommt bald ein globales "Netflix für News"?
https://netzpolitik.org/2019/die-verlegerverleger-google-apple-und-facebook-wollen-die-paywall-kapern/

Thinking versus data: How the human kind losses its self-control, PC-WELT, 10.01.2018
Denken versus Daten: Die Digitalisierung verändert die Gesellschaft so grundlegend, dass wir Menschen darin bald keine Rolle mehr spielen.
https://www.pcwelt.de/a/denken-versus-daten-wie-wir-menschen-die-kontrolle-verlieren,3449330

OKHunting tricky ones: Authorities explore private bank accounts - and provide their data, Focus, 10.04.2015
Finanzämter, Gerichtsvollzieher und Jobcenter greifen so oft auf Bankdaten von Privatkunden zu wie noch nie. So wollen sie Hartz-IV-Tricksern, säumigen Steuerzahlern und unzuverlässigen Schuldnern auf die Schliche kommen. Bei der Suche nach Schuldnern, Sozialbetrügern und säumigen Steuerzahlern haben deutsche Behörden 2014 so oft wie noch nie zuvor private Kontodaten von Bankkunden abgefragt. Dies geht aus einer Statistik des Bundesfinanzministeriums hervor, die der "Süddeutschen Zeitung" vorliegt. Danach ließen neben den Finanzämtern häufig Gerichtsvollzieher prüfen, wer über welche Konten und Wertpapierdepots verfügt. Mehr als 230.000 erledigte Kontenabrufe zählte das Bundeszentralamt für Steuern im vergangenen Jahr. 2013 waren es knapp 142.000 Abfragen - das entspricht einem Anstieg von mehr als 60 Prozent. Allein im ersten Quartal 2015 verzeichnete die Behörde bereits 76.000 dieser Abrufe. Ein Hinweis, dass sich die Zahl auch im laufenden Jahr weiter kräftig erhöhen wird. Anfragen gehen nicht nur von Steuerbehörden ein, die danach Pfändungen einleiten können. Auch Jobcenter dürfen die Daten anfordern, wenn zum Beispiel Hartz-IV-Empfänger keine ausreichenden Angaben über ihre persönlichen Vermögensverhältnisse vorlegen. Außerdem erkundigen dürfen sich Ämter, die Bafög, Wohngeld oder Sozialhilfe genehmigen. Sie erhalten Auskunft über Namen, Geburtsdatum, Adresse und Kontonummer des Bankkunden. Die amtliche Neugierde wächst seit Jahren: Von den 230.000 Abfragen im vergangenen Jahr entfielen knapp 80.000 auf die Steuerbehörden, gut 10.000 mehr als 2013. Die anderen Ämter fragten in mehr als 150.000 Fällen die Daten ab - mehr als doppelt so viele wie im Vorjahr. Das Finanzministerium führt dies vor allem auf die 4500 Gerichtsvollzieher zurück, die die Anzahl der Abrufe "deutlich erhöht" hätten. Seit 2013 dürfen auch sie Auskünfte über Schuldner einholen. "Es hat sich bei den Gläubigern herumgesprochen, dass es diese Möglichkeit gibt", sagte Detlef Hüermann, der Bundesgeschäftsführer des Deutschen Gerichtsvollzieherbunds, der "Süddeutschen Zeitung". Jedoch wies er darauf hin, dass dieses Instrument "fast nur bei nicht kooperativen Schuldnern genutzt wird, die keine Angaben zu ihrem Vermögen machen". Erlaubt sei dies nur in bestimmten Fällen. Die Ansprüche des Gläubigers müssten sich zum Beispiel auf mehr als 500 Euro belaufen. Komme dann heraus, dass ein Konto vorhanden ist, könne der Gläubiger eine Pfändung veranlassen.

Diese Daten dürfen die Behörden einsehen
Fortsetzung des Berichts: News&Links#Online_Shopping

Euro-Flowers: More counterfeit money in Germany, SPIEGEL ONLINE, 26.07.2019
Die Bundesbank hat in der ersten Jahreshälfte mehr Falschgeld aus dem Verkehr gezogen. Das lag auch am Wettlauf zwischen Fälschern und Behörden. mehr...
https://www.spiegel.de/wirtschaft/soziales/mehr-falschgeld-in-deutschland-weniger-euro-blueten-in-europa-a-1279162.html

Fight against money laundering
Duty registrates more suspicious cases
, tagesschau.de, 09.07.2019
Nach massiver Kritik ist die Geldwäsche-Bekämpfung des Zolls verstärkt worden. Doch es half wenig: Die Zahl der nicht abgeschlossenen Verdachtsmeldungen erreichte ein Rekordhoch.
https://www.tagesschau.de/investigativ/ndr/geldwaesche-verdachtsmeldungen-101.html

Decades long massy under attack of complaints: Deutsche Bahn, Deutsche Telekom, Deutsche Bank, Deutsche Behörden, Deutsche Polizei, ... "Each swinishness: The Deutsche Bank!", tagesschau.de, 2016
Constellation out of Bismark and Wilhelm II., 50% catholics and 50 % protestants, 7 millionen dogsbodies, two lost world wars, four different alliiert sectors, missing country souvernity, bond out of earls states and free states, mix out of banks, monarchy and democracy, EU-predominance, ...

"Carbanak"-Gang worldwidely captured billions
Interpol, Europol, Kaspersky Lab and other institutions covered the biggest cybercrime
, trojaner-info.de, 04.04.2018
An unscrupulous gang out of hacker eavedropped bank server for years, so that over one billion euro from hundred banks within more than 20 countries got robbed. After investigators prosecuted the gang worldwidely, spanish police managed in march to arrest the head of the gang.
https://www.trojaner-info.de/daten-sichern-verschluesseln/aktuelles/carbanak-gang-erbeutete-weltweit-milliarden.html

From News&Links#BuenoAppetito

Until year 2017, each monday: Mass movement on the streets of Germany: Patrick Bachmann´s Pegida, the 30., 31., 32., ... "against the islamisation of the christian occident" from time to time with over 25.000 participants.
Three years "Pegida": monday by monday, tagesschau.de, 28.10.2017
Read more about this in our section News&Links!

Even the own look was delivered
"1000 times touched, 1000 times nothing happened.", Klaus Lage, 80er Jahre

"We are the sadists, you the masochists!", means the quarter century prostitutde and porn modell Maja Schmidt from Voerde am Niederrhein already decades ago.
They are the "Good Ones", "The Wearthful", "The Beauties", the people, who would have been always right. And the other ones...

Yogurt from the Germany, wine from Italy: Putin combusts tons of western food, FOCUS Online, 06.08.2015
Even the apple from the west were intoxinated. [...]

Russian defense against bad influences from western nutrition
Self-designated interfering units put through their import embargo
The cosac in the supermarket
, tagesschau.de, 22.08.2015
The cosacs (german: Kosaken), einst stolze und streitbare Krieger, fühlen sich heute als Bewahrer nationaler Werte und wollen Russland gegen missliche Einflüsse von Außen verteidigen. Zum Beispiel Lebensmittel aus dem Westen, die trotz des Einfuhrverbots den Weg nach Russland finden. Von Stefan Stuchlik.

... and now, past all the 1000 times of our eaves-closing in this "country", such ones should finally go, that always did and do this too.

Abschaffung der Sozialhilfe, Wohngeld und Krankenhilfe nach altem SGB II
Der SPD-Mann von der Volkswagen AG machte es möglich - Aber nicht für alle!


Knast noch besser (cheaper somehow! And even more secure!)!
Traditioneller Gang durch alle Instanzen: Das von jeher am meisten verklagte Geld der Welt



From News&Links

"They look like friends, but they want to see us dead", FOCUS ONLINE, 28.11.2014
Sultan Erdogan´s hass tirade against the west

Der türkische Präsident Recep Tayyip Erdogan sorgt für den nächsten Eklat. Kurz vor dem Besuch von Papst Franziskus griff er den Westen mit einer Hassrede in Istanbul an. Er spricht darin von "westlichen Medien und Fremden unter uns, die an einem Ego-Komplex leiden". "Jene, die von außen in die islamische Welt kommen, mögen Öl, Gold und Diamanten, sie mögen billige Arbeitskräfte, und sie mögen Zwist und Streit. Sie mögen es, unsere Kinder sterben zu sehen. Sie wollen nicht, dass wir Dinge hinterfragen", fuhr Erdogan fort. "Glaubt mir, sie mögen uns nicht", zitiert ihn die "H&u...

From News&Links#Computer

BRD-tribunales - Humane alternative for death penalty?, brd-schwindel.ru, 13.04.2019
The power of BRD disintegrates daily. If we got the tribunals in the end, what would be the fair punishment for the greatest criminals?
https://brd-schwindel.ru/brd-tribunale-humane-alternative-zur-todesstrafe/

"Last chance to scupper such companies", netzpolitik.org, 28.04.2018
The german antitrust devision names Facebook´s data collections from third sources abusive, while Google processes against the punishment against abuse of markt power in the height of several millions administered by the EU-comission. Nach Ende der Verfahren, so Knoerig, "kommen wir über die Bundesregierung womöglich zu dem Ergebnis, dass wir Kommissionen bilden, und dann können wir, wenn es denn nötig sein wird, entflechten".
Reinhard Houben (FDP) sprach sich dafür aus, die Verfahren abzuwarten und bezeichnete die Möglichkeit der Zerschlagung als "letzten Schritt". Die digitale Wirtschaft brauche "Freiraum, damit sie sich entfalten kann."
https://netzpolitik.org/2018/bundestag-ueberlegt-digitale-plattformen-zur-oeffnung-zu-verpflichten/

Linux as a second system for special tasks
https://www.pcwelt.de/ratgeber/Linux-Zweitsysteme-fuer-Spezial-Einsatzzwecke-8750992.html

Build 2019
Windows 10 includes Linux-Kernel and a new commandline-tool
, PC-Magazin.de, 08.05.2019
https://www.pc-magazin.de/news/windows-10-linux-kernel-command-line-app-3200644.html

Linux-Bash: Commandline tool within Windows 10
Windows 10 for nerds: These text-commands should be known by each user
, CHIP, 25.09.2016
http://www.chip.de/news/Windows-10-fuer-Nerds-Kommandozeilen-Befehle-die-Windows-10-User-kennen-sollten_100359811.html

New Microsoft Edge with chromium socket: This are the newest functions, PC-Magazin.de, 07.05.2019
https://www.chip.de/news/Neue-Version-ueberraschend-aufgetaucht-Was-kann-der-neue-Microsoft-Browser-wirklich_164896960.html

Windows needs Linux: Otherwise Microsoft is without future, CHIP, 17.04.2016
Microsoft hat Linux in Windows 10 integriert. Aber nicht nur, um Entwicklern eine Freude zu machen. Für den Konzern geht es um die Zukunft - und die ist ohne Linux undenkbar
http://www.chip.de/news/Windows-10-braucht-Linux-Denn-Microsoft-hat-sonst-keine-Zukunft_92315506.html

Each third one does not want get Windows 10 donated for free, (indirect Ubuntu-fan) PC-WELT.de, 01.08.2016
https://www.pcwelt.de/news/Machen-Sie-das-Gratis-Upgrade-auf-Windows-10-10007169.html

Howto use Windows within Linux through Virtualbox, PC-WELT.de, 08.05.2019
Per virtualization it is possible to use software and apps for Windows for Linux too. We show, howto.
https://www.pcwelt.de/ratgeber/Windows-als-virtuellen-PC-in-Linux-weiternutzen-9790033.html
Virtualbox (el6, all Linux): VirtualBox-6.0-6.0.6_130049_el6-1.x86_64.rpm from 16-Apr-2019 118M ( or VirtualBox-5.2-5.2.28_130011_Linux_x86.run ) and UserManual.pdf from
https://download.virtualbox.org/virtualbox/6.0.6
Alternatively: qemu (el6, all Linux), virt-manager (el6) and libvirt (el6), wine64 (el6, all Linux, 64-Bit-MS-Windows-Emulator) and wine (el6, all Linux, 32-Bit-MS-Windows-Emulator)

Wonderful Unix, wonderful OpenSource ("tick-tick-tick-..."), we are right (addition from 07.09.2013): Tagesschau reports about weak-points in many security software. The industry for software would have been built-in backdoors in their programs. It were possible to get information right before a user encrypts them and to send them over the internet. Super-computer were constructed to crack encrypted codes. NSA-program "Bullrun" belonged to the most kept secrets. The british agency GCHQ were very successfull in cracking code. Such analyses would have belonged to Google, Yahoo, Facebook und Microsoft. From banking software up to election computer, if databases, data protection or data security: Only OpenSource-Software can be trusted!

Since 1981/82: Black monitors, tons of updates (terrabytes), Cyberwar, Suneater, missing driver, driver- and hardware failouts, glibc-patch, openssl-patch, system breakdowns ( a.o. python), defect kernel and glibc, Dirty Cow, Sambacry, Meltdown and Spectre, security access points in browser, hacker, trojans, viruses, unsolved packet-dependencies and so on and on
It must be the kind of (artificial-) bomb in each computer, because in any operating system and a lot of software and updates over updates, but through Gooken´s "Universal Linux 2010" it manges the first time past over 25 years to disarm it.

The whole world gots betrayed and sold!
Tell us, what comes next past all his B-film-minor-roles and all his corrupted computer systems?


"The glassen human became already reality", WELT.de
https://www.welt.de/print-welt/article210413/Glae

Is privacy in this century generally possible?
Der gläserne Mensch. Über totale Transparenz im Zeitalter der NSA-Überwachung
, Prof. Hasan Elahi
Ist eine Privatsphäre im heutigen Zeitalter überhaupt möglich? Der Medienkünstler Prof. Hasan Elahi, erörtert die neue Normalität der Transparenz nach dem 11. September. Er berichtet von seinem Projekt "Tracking Transience", mit dem...
https://doi.org/10.5445/DIVA/2014-235

Are we all glassen?
Der Gläserne Mensch
, UNI.DE
Der gläserne Mensch ist ein oft genannter Begriff im Bereich des Datenschutzes. Sind wir bald alle gläsern?
https://uni.de/redaktion/glaeserner-mensch

From News&Links#Computer

User like rats from labs (laboratories)
...
, netzpolitik.org, 17.04.2018
[...] Heikle Fragen zur Verwendung von Nutzerdaten blieben unbeantwortet. Der Datenschutzbeauftragte der EU wirft dem Internetkonzern indes vor, seine User in "Laborratten" zu verwandeln. Die Antwort der europäischen Politik auf den Skandal kommt aber nur langsam ins Rollen.

The internet must go away!
Internet: Brainwashing through algorithms, trolls and tech-companies
Schlecky Silberstein surft in unserer Filterbubble
, netzpolitik.org, 17.04.2018
Christian Brandes aka Schlecky Silberstein würde gern das Medium abschaffen, das ihn ernährt. In "Das Internet muss weg" beschreibt der Blogger, wie wir von Algorithmen, Trollen und Tech-Firmen gebrainwasht werden. Aber ist er nicht selbst ein Teil davon? Eine Rezension.
https://netzpolitik.org/2018/schlecky-silberstein-surft-in-unserer-filterbubble/

"I have never been such belied!"
#34c3: Die Lauschprogramme der Geheimdienste
, netzpolitik.org, 29.01.2018
"Ich bin noch nie so belogen worden", sagte Hans-Christian Ströbele über seine Arbeit im NSA-BND-Untersuchungsausschuss. In einem Gespräch mit Constanze Kurz resümiert der grüne Politiker die Ergebnisse der parlamentarischen Untersuchung.
https://netzpolitik.org/2018/34c3-die-lauschprogramme-der-geheimdienste/

Journalist makes Facebook-self-test
I have downloaded my data: What Facebook all knows about me, has shocked me very much
, FOCUS Online, 26.06.2018
Dass Facebook Daten über seine Nutzer speichert, ist bekannt. Doch wie umfangreich die Datensammlung ist, realisiert man erst, wenn man sie sich herunterlädt: Freunde, Orte, Posts - alles wird über Jahre hinweg gesammelt.
https://www.focus.de/digital/experten/facebook-ich-wusste-dass-facebook-daten-speichert-doch-das-ausmass-hat-mich-erschreckt_id_9145326.html
Forsetzung Facebook: News&Links#facebook
Aus der Öffentlichkeit entfernt
https://www.welt.de/kultur/kino/article168457149/Wenn-ein-Tech-Gigant-nach-totaler-Kontrolle-strebt.html

From our excurs from this website

Wonderful Unix, wonderful OpenSource ("tick-tick-tick-..."), we are right (addition from 07.09.2013): Tagesschau reports about weak-points in many security software. The industry for software would have been built-in backdoors in their programs. It were possible to get information right before a user encrypts them and to send them over the internet. Super-computer were constructed to crack encrypted codes. NSA-program "Bullrun" belonged to the most kept secrets. The british agency GCHQ were very successfull in cracking code. Such analyses would have belonged to Google, Yahoo, Facebook und Microsoft.

OKNew computer: Four things you should do right up from the beginning, PC-WELT.de, 02.03.2020
It does not matter, how young or old you are: It is a beautiful feeling to start a new computer. Care yourself for the security right up from the beginning.
https://www.pcwelt.de/international/Neuer-Computer-Vier-Dinge-die-Sie-gleich-zu-Beginn-machen-sollten-10763901.html

2009/2010: Year of the hardware, year of the software (CentOS el6, Mandriva2010) - ALL talk around the computer got passed! (!!!)
... almost surface-covering and security technically: just completion and updating (see the update-listing from our webside "Universal Linux 2010"! CentOS- and SL-updates (el6) are provided in the internet from year 2010 up to year 2026 and (mit el7) longer. Belonging power saving, mouseclick-fast and Linux-compatible lifetime-hardware (*) quit for free is listed in our -> data sheed device by devcie: all-in-one-mainboard, net adapter, all poor radiationed and supersilent, ultraslim-WLED-TFT, SSD, rom-drives (DVD-burner), multifunction-printer (printing- scanning - faxing and copying), mouse/keyboard, computer tower, ...
This all although the computer standed (and stands) for "nothings more "kaputter" (out of order)"... (following the excurs and see News&Links)! Lifetime-hardware (*): We are going to report about errorcs and defects of the mainboard under data sheed in future. There are none up to now.

OKAvoid these 14 mistakes and errors during building up your PC ( hardware ) by yourself !, PC-WELT.de, 04.07.2020
If you build up a PC for the first time by yourself, take notice of 14 important things. Otherwiese you might have a big bad suprise!
https://www.pcwelt.de/ratgeber/tipp-pc-selbst-bau-fehler-vermeiden-10834772.html

OKMoving into a bad, bad world...
From Saturn-Service-Center: PC-build-up - Bios-Setup - partitonswise or complete mirroring (best done by the UNIX-/Linux-command dd) OR: partitionize - formatting (Linux-filesystem, almost ext4) - encryption (of most partitions) - installation - configuration - defragmentation (not required for Linux) - making updates:

Put your installation-DVD into the CD/DVD-drive to install the operating system, together with other belonging software. We assume the rpm-(packet-manager-) based Enterprise Linux (RHEL, Fedora, CentOS or Scientific Linux) or a Mandriva-Derivat (PC Linux OS, Rosa, Mageia, Mandriva), but refer to Debian Linux and so on and (indirectly) MS Windows too!
Follow the installation-steps from DVD (resp. other media like USB)!
Do all other steps by handbooks and guidelines from manufacturer, then follow this excurs!
For the partioning, under Linux at all formlized in the device-file fstab (/etc/fstab), we recommend already at this place at least 80 GB for the Root- and 20 GB for the home-partition, around 1 GB for the Boot-partition and the threefold of the RAM-size for the SWAP-partition (memory-swapping file).
Good to know, that encryption is possible already at this place for partitioning resp. right up after the formatting. We also refer to this namely later on in detail !

Installation und update sources Enterprise Linux CentOS resp. Scientific Linux (el6, el7):

http://mirror.eu.oneandone.net/linux/distributions/centos/6.10/isos/x86_64/
http://mirror.jgotteswinter.com/centos/6.10/isos/x86_64/
http://wftp.tu-chemnitz.de/pub/linux/centos/6.10/isos/x86_64/
http://ftp.halifax.rwth-aachen.de/centos/6.10/isos/x86_64/
http://ftp.rrzn.uni-hannover.de/centos/6.10/isos/x86_64/
http://mirror.de.leaseweb.net/centos/6.10/isos/x86_64/
http://mirror.softaculous.com/centos/6.10/isos/x86_64/
http://artfiles.org/centos.org/6.10/isos/x86_64/
http://mirror.cuegee.de/centos/6.10/isos/x86_64/
http://centos.bio.lmu.de/6.10/isos/x86_64/
http://ftp.hosteurope.de/mirror/centos.org/6.10/isos/x86_64/
http://mirror.daniel-jost.net/centos/6.10/isos/x86_64/
http://mirrors.cicku.me/centos/6.10/isos/x86_64/
http://mirror.yannic-bonenberger.com/centos/6.10/isos/x86_64/
http://centos.datente.com/media/6.10/isos/x86_64/
http://mirror.dataone.nl/centos/6.10/isos/x86_64/
http://centos.schlundtech.de/6.10/isos/x86_64/
http://ftp.plusline.de/centos/6.10/isos/x86_64/
http://ftp.fau.de/centos/6.10/isos/x86_64/
http://centos.mirrors.as250.net/6.10/isos/x86_64/
http://mirror2.hs-esslingen.de/centos/6.10/isos/x86_64/
http://mirror1.hs-esslingen.de/pub/Mirrors/centos/6.10/isos/x86_64/
http://mirror.rackspeed.de/centos.org//6.10/isos/x86_64/
http://mirror.ratiokontakt.de/mirror/centos/6.10/isos/x86_64/
http://mirror.netcologne.de/centos/6.10/isos/x86_64/
http://repo.de.bigstepcloud.com/centos/6.10/isos/x86_64/
http://mirror.euserv.net/linux/centos/6.10/isos/x86_64/
http://ftp.wrz.de/pub/CentOS/6.10/isos/x86_64/
http://centos.intergenia.de/6.10/isos/x86_64/
http://centos.mirror.net-d-sign.de/6.10/isos/x86_64/
http://mirror.imt-systems.com/centos/6.10/isos/x86_64/
http://mirror.23media.de/centos/6.10/isos/x86_64/

Nearby Countries

http://mirror.unix-solutions.be/centos/6.10/isos/x86_64/
http://centos.cu.be/6.10/isos/x86_64/
http://mirror.kinamo.be/centos/6.10/isos/x86_64/
http://centos.mirror.nucleus.be/6.10/isos/x86_64/
http://mirror.spreitzer.ch/centos/6.10/isos/x86_64/
http://linuxsoft.cern.ch/centos/6.10/isos/x86_64/
http://mirror.switch.ch/ftp/mirror/centos/6.10/isos/x86_64/
http://pkg.adfinis-sygroup.ch/centos/6.10/isos/x86_64/
http://mirror.plusserver.com/centos/6.10/isos/x86_64/
http://ftp.ciril.fr/pub/linux/centos/6.10/isos/x86_64/
http://mirror1.evolution-host.com/centos/6.10/isos/x86_64/
http://centos.crazyfrogs.org/6.10/isos/x86_64/
http://distrib-coffee.ipsl.jussieu.fr/pub/linux/centos/6.10/isos/x86_64/
http://centos.mirror.fr.planethoster.net/6.10/isos/x86_64/
http://ftp.rezopole.net/centos/6.10/isos/x86_64/
http://mirror.in2p3.fr/linux/CentOS/6.10/isos/x86_64/
http://mirrors.ircam.fr/pub/CentOS/6.10/isos/x86_64/
http://mir01.syntis.net/CentOS/6.10/isos/x86_64/
ftp://ftp.free.fr/mirrors/ftp.centos.org/6.10/isos/x86_64/
http://mirrors.standaloneinstaller.com/centos/6.10/isos/x86_64/
http://centos.mirrors.ovh.net/ftp.centos.org/6.10/isos/x86_64/
http://centos.mirror.ate.info/6.10/isos/x86_64/
http://fr.mirror.babylon.network/centos/6.10/isos/x86_64/
http://centos.quelquesmots.fr/6.10/isos/x86_64/
http://ftp.pasteur.fr/mirrors/CentOS/6.10/isos/x86_64/
http://mirrors.atosworldline.com/public/centos/6.10/isos/x86_64/
http://mirror.ibcp.fr/pub/Centos/6.10/isos/x86_64/
http://miroir.univ-paris13.fr/centos/6.10/isos/x86_64/
http://fr2.rpmfind.net/linux/centos/6.10/isos/x86_64/
http://centos.trisect.eu/6.10/isos/x86_64/
http://linux.cs.uu.nl/centos/6.10/isos/x86_64/
http://mirror.yourwebhoster.eu/centos/6.10/isos/x86_64/
http://mirror.colocenter.nl/pub/centos/6.10/isos/x86_64/
http://mirror.proserve.nl/centos/6.10/isos/x86_64/
http://mirror.i3d.net/pub/centos/6.10/isos/x86_64/
http://mirror.serverbeheren.nl/centos/6.10/isos/x86_64/
http://mirror.amsiohosting.net/centos.org/6.10/isos/x86_64/
http://mirror.1000mbps.com/centos/6.10/isos/x86_64/
http://mirror.widexs.nl/ftp/pub/os/Linux/distr/centos/6.10/isos/x86_64/
http://mirror.previder.nl/centos/6.10/isos/x86_64/
http://mirror.nl.leaseweb.net/centos/6.10/isos/x86_64/
http://mirror.denit.net/centos/6.10/isos/x86_64/
http://mirror.sitbv.nl/centos/6.10/isos/x86_64/
http://ftp.tudelft.nl/centos.org/6.10/isos/x86_64/ http://nl.mirror.babylon.network/centos/6.10/isos/x86_64/
http://mirror.cj2.nl/centos/6.10/isos/x86_64/
http://mirror.oxilion.nl/centos/6.10/isos/x86_64/
http://centos.ams.host-engine.com/6.10/isos/x86_64/
http://ftp.nluug.nl/ftp/pub/os/Linux/distr/CentOS/6.10/isos/x86_64/
http://mirror.netrouting.net/centos/6.10/isos/x86_64/
http://mirror.prolocation.net/centos/6.10/isos/x86_64/
http://centos.mirror1.spango.com/6.10/isos/x86_64/
http://mirror.schoemaker.systems/centos/6.10/isos/x86_64/
http://mirror.nforce.com/pub/linux/CentOS/6.10/isos/x86_64/
http://mirrors.supportex.net/centos/6.10/isos/x86_64/
http://mirrors.noction.com/centos/6.10/isos/x86_64/
http://centos.mirror.triple-it.nl/6.10/isos/x86_64/
http://centos.mirror.transip.nl/6.10/isos/x86_64/
http://mirror.fysik.dtu.dk/linux/centos/6.10/isos/x86_64/
http://ftp.klid.dk/ftp/centos/6.10/isos/x86_64/
http://mirrors.dk.telia.net/centos/6.10/isos/x86_64/
http://mirror.one.com/centos/6.10/isos/x86_64/
http://ftp.crc.dk/centos/6.10/isos/x86_64/
http://mirror.mhd.uk.as44574.net/mirror.centos.org/6.10/isos/x86_64/
http://centos.mirrors.nublue.co.uk/6.10/isos/x86_64/
http://mirrors.melbourne.co.uk/sites/ftp.centos.org/centos/6.10/isos/x86_64/
http://www.mirrorservice.org/sites/mirror.centos.org/6.10/isos/x86_64/
http://anorien.csc.warwick.ac.uk/mirrors/centos/6.10/isos/x86_64/
http://mirrors.clouvider.net/CentOS/6.10/isos/x86_64/
http://mirror.bytemark.co.uk/centos/6.10/isos/x86_64/
http://mirror.econdc.com/centos/6.10/isos/x86_64/
http://mirrors.vooservers.com/centos/6.10/isos/x86_64/
http://mirrors.ukfast.co.uk/sites/ftp.centos.org/6.10/isos/x86_64/
http://centos.serverspace.co.uk/centos/6.10/isos/x86_64/
http://centos.mirroring.pulsant.co.uk/6.10/isos/x86_64/
http://mirror.sov.uk.goscomb.net/centos/6.10/isos/x86_64/
http://mirror.vorboss.net/centos/6.10/isos/x86_64/
http://mirror.ox.ac.uk/sites/mirror.centos.org/6.10/isos/x86_64/
http://mirrors.coreix.net/centos/6.10/isos/x86_64/
http://mirror.sax.uk.as61049.net/centos/6.10/isos/x86_64/
http://mirror.cov.ukservers.com/centos/6.10/isos/x86_64/
http://repo.uk.bigstepcloud.com/centos/6.10/isos/x86_64/
http://mirror.as29550.net/mirror.centos.org/6.10/isos/x86_64/

...

...

Such listed "lifetime-hardware" from our data sheed ( like the low powered mainboard ASUS ITX-220, SSD, DVD-ROM-Burner and introduced AOC-TFT) does - within common outdoor temperature tolerances - not show any symptoms andtherefore - past "endless" powering on and offs and resets (new starts) of the computer system, even not those ones like the following:

How to control your hardware with sensors through Linux, PC-WELT.de, 24.06.2019
How hot the processor can get temperatured or does the CPU-cooler still spin, this can be found out by software. In order to query all available sensors, there is some configuration time needed.
[...] A defect or polluted cooler can increase the temperature of the processor or graphic card so much, that the system gets instable. The CPU frequencies lower in this case, the computer reacts just hesitant or breaks down very often. Furthermore permanent high temperatures infect the electronic components, what can lead into a total system blackout. In PCs the network adapter is one more source of trouble. Defect condensators for example keep the voltages not stable anymore, what can lead to many malfunctions.
Linux-Tools for the reading out of sensor data help to diagnose, if all values are within their normed tolerances or if there are distinctive features, further more tools inform about the health and temperature of magnetic hard drives.
We show on the base of Ubuntu, how this functions, for other systems the procedure can partially differ.
https://www.pcwelt.de/ratgeber/Linux-Hardware-mit-Sensoren-kontrollieren-10612225.html

From News&Links#MSWindows


Whatever Microsoft Defender
5 tips protecting against virus infections
, PC-WELT.de, 06.04.2019
Viruses, worms and trojans do still threat the Windows-PC. With these five tricks you can protect against them.
https://www.pcwelt.de/ratgeber/6-Tipps-die-Sie-vor-Vireninfektionen-schuetzen-8317198.html

Microsoft Defender for Mac, trojaner-info.de, 01.04.2019
There will be provided Windows "Defender" for Macs too. The new malware protection on the Mac platform will be called Microsoft Defender Advanced Threat Protection (ATP) instead of Windows Defender ATP. This version is developed for companies.
https://www.trojaner-info.de/business-security/aktuell/microsoft-defender-nun-auch-fuer-den-mac.html

Systemeigenschaften
Anleitung
OKWindows 10/8.1/7: Creating system-restoration points, PC-Magazin.de, 18.02.2018
Wer in Windows 10, 8.1 oder 7 einen Systemwiederherstellungspunkt erstellt, kann diesen bei Problemen als Backup einspielen. Hier die Anleitung.
http://www.pc-magazin.de/ratgeber/windows-10-windows-7-systemwiederherstellung-wiederherstellungspunkt-erstellen-backup-3195647.html

OKSecurity for MS Windows: Working like the professionals
Trojaner-Board.de: professional analyze- and malware/error excluding-tools for MS Windows
, trojaner-board.de
- FRST.txt log, Farbar Recovery Scan Tool (FRST): documented system description: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
- msconfig, ipconfig /aLL und Taskmanager - board instrument and command line tool of MS Windows, in order to see, how many and which programs got started.
- chkdisk, CrystalDiskinfo for the creation of logfiles from hard disks and to extract S.M.A.R.T.-values of them
- Bluescreenview for the documentation of bluescreens and their error messages
- Malwarebytes: free software for internet security and protection ..., Malwarebytes Anti-Rootkit (MBAR), http://filepony.de/download-malwarebytes_anti_rootkit/, de.malwarebytes.com, Malwarebytes protects against malware, ransomware and more extended online threads, that lead into infected anti virus programs and ...
Malwarebytes - malware scanner - Download - CHIP
Malwarebytes - Malware Scanner 3.3.1.2183 german and english edition: The freeware "Malwarebytes Anti-Malware" is a malware-scanner that removes thanks of refined technique
http://www.chip.de/downloads/Malwarebytes-Malware-Scanner_27322637.html
- hwinfo device driver information
- clamav: virus scanner, rkhunter, chkrootkit: rootkit-scanner
- AdwCleaner: The freeTool AdwCleaner promises to remove unwanted adware, junkware, toolbars and hijackers from the PC.
- Revo Uninstaller: deinstallation of software
- TDSS-Killer: finds out malware with Kaspersky TDSS-Killer
- memtest86: memory (RAM) check
- S.M.A.R.T: hard disc check
-
system-logfiles and error-logs
-
gparted: partition manager performing checks

OKTails (Debian Stretch 9.8) und Subgraph OS
There are some projects, that offer Live-DVD - a guaranteed well-configured system without trojans. As they can not get updated, you should downloand the actual version of ISO-Images.
Quit all Linux-distributions and BSD-derivates offer Live-DVDs, The LiveCD List gives an overview.
TAILS: The Amnesic Incognito Live System is the Live-DVD from Torproject.org. The complete data traffic in the internet is sent through Tor.
Subgraph OS: is a very hardened Linux with Grsecurity/PaX kernel patches. All applications are isolated from eachother by a sandbox. The Tor Onion Router is used as an anomyizing service by default. The ISO-Image for Lived-DVD is an alternative for TAILS.
https://www.privacy-handbuch.de/handbuch_24o.htm
https://tails.boum.org/
https://subgraph.com/sgos/index.en.html
https://subgraph.com/sgos/download/index.en.html
https://livecdlist.com/

The installation of Tails (special Debian Linux with programs like LibreOffice) is easy:
1. image file
Download the image-iso-file of Tails (size: around 1 GB) for the USB-memory-stick or DVD from https://tails.boum.org/. Notice, that this are not the same ones.
2.a) DVD
Burn the image-ISO-file onto DVD by using a program for burning DVD.
2.b) USB-memory stick / SSD (solid state disc) / HDD (hard disc) / bootable partition
The device-file is the file for the at least 8 GB sized USB-memory-stick, for example /dev/sdd .
There should not be any partition on the memory-stick, so delete all created ones!
Copy the image-ISO-file onto the USB-memory stick:
dd if=path_to-image--ISO-file/image-iso-tails.img of=device-file bs=16M && sync
3. Restart the system, boot from DVD resp. press the function-key (ASUS mainboard: key F8 or ESC) to boot Tails from USB. For this, the BIOS-Setup has to be set in ASUS: Security onto Full BIOS Access. After the boot of Tails create the persistent memory for example the printer, if you like, by using the belonging utility.
Done. Alternatively you can clone Tails from a started Tails onto any storage media.
4. Install more packages for Tails resp. Debian Stretch from debian.org or other sources: activate persistent memory, set the administrator password and use the package manager: synactic, aptitude, apt or command dpkg.
Source: https://tails.boum.org, handbook

OKHowto to make the Raspberry Pi even more secure, PC-WELT.de, 09.06.2019
As the platined computer is in use very often, he becomes a target for attacks. Therefore he should be made secure.
https://www.pcwelt.de/a/so-machen-sie-den-raspberry-pi-sicherer,3449552

OKSoftware::Distributionen::Debian
Debian turns packet format from DEB to RPM
, PRO-LINUX, 02.04.2019
https://www.pro-linux.de/news/1/26921/debian-stellt-auf-rpm-um.html

From News&Links#IdentityTheft

Staffmakers make advertisement
Twittern like a football clubs "Amazon FC"
, tagesschau.de, 25.01.2019
In order to improve the image, Amazon acts with unusual PR: Staffmakers link into critical discussions - and praise their employer in highest tones.
https://www.tagesschau.de/inland/amazon-twitter-101.html

From News&Links#Facebook

Influencerin right before law
Advertisement or not?
, tagesschau.de, 25.01.2019
Pamela Reif cares for fashion- or fitness-tipps for millions of Instagram followers. Now she got accused of surreptitios advertisement right before law. Frank Bräutigam about an unconventional dialog in the court room.
https://www.tagesschau.de/inland/pamelareif-101.html

From News&Links#NSA&Co.

Germany is just an information source for USA, report from Rolf Büllmann, BR-Hörfunkstudio Washington, tagesschau.de, 07.07.2014


Wie antisemitisch ist Deutschland?, tagesschau.de, 21.12.2017
Nicht nur im Internet verbreiten sich Hetze und Hassbotschaften gegen Juden - das zeigen israelfeindliche Proteste mit brennenden Flaggen oder wüste Beschimpfungen gegen den Gastwirt eines israelischen Lokals in Berlin. Wie antisemitisch ist Deutschland heute?, https://www.tagesschau.de/multimedia/kurzerklaert/antisemitismus-ke-101.html

Are we all glassy in future?
The glassen human being
, UNI.DE
https://uni.de/redaktion/glaeserner-mensch

"The glassen human being becomes already the fact", WELT.de
https://www.welt.de/print-welt/article210413/Glae

From News&Links#Computer_Smartphones

Two cameras, several microphones, a GPS-modulel and oodles private user data: smartphones are the perfect supervisory devices
Security export leaks out: Your smartphone can spy out - although you powered off everytjhing
, STERN.de, 08.02.2018
Über GPS und Co. können uns Smartphones permanent überwachen. Zum Glück kann man die Funktionen aber abschalten. Ein Forscher erklärt nun, wie man diese Sicherheitsmaßnahmen trotzdem aushebelt - und warum das kaum zu verhindern ist.
Zwei Kameras, mehrere Mikrofone, ein GPS-Modul und Unmengen private Daten der Nutzer: Smartphones sind die perfekten Überwachungsgeräte.
https://www.stern.de/digital/smartphones/so-kann-ihr-smartphone-sie-ausspionieren---obwohl-sie-alles-abgeschaltet-haben-7855612.html
https://www.stern.de/digital/computer/erpressungs-trojanern--so-schuetzen-sie-sich-vor-ransomware-6725356.html
https://www.stern.de/digital/online/datenraub--mit-diesen-7-tipps-schuetzen-sie-sich-davor-8521708.html
https://www.stern.de/tv/datenhack--warum-wurde-es-dem-taeter-so-leicht-gemacht-und-wie-kann-man-sich-schuetzen--8521650.html
https://www.stern.de/digital/smartphones/so-kann-ihr-smartphone-sie-ausspionieren---obwohl-sie-alles-abgeschaltet-haben-7855612.html
https://www.stern.de/digital/online/der-mann--der-uns-schwierige-passwoerter-einbrockte--bereut-seine-entscheidung-7577534.html
https://www.stern.de/digital/computer/erpressungs-trojanern--so-schuetzen-sie-sich-vor-ransomware-6725356.html
https://www.stern.de/digital/online/iphone-privatsphaere--mit-diesen-einstellungen-schuetzen-sie-ihre-daten-8522116.html
https://www.stern.de/tv/datenhack--warum-wurde-es-dem-taeter-so-leicht-gemacht-und-wie-kann-man-sich-schuetzen--8521650.html
https://www.stern.de/tv/gute-passwoerter-und-co---so-schuetzen-sie-sich-bestmoeglich-vor-hackerangriffen-8524324.html

How to make mobile end-devices secure: http://www.pcwelt.de/ratgeber/So-sichert-man-mobile-Endgeraete-im-Unternehmen-ab-FAQ-9582121.html

From News&Links#Introduction

12.000 Satellites
SpaceX (Elon Musk, "Tesla") started first satellites for Internet overall
, PC-WELT.de, 23.02.2018


US-military defense budget year 2018: 716 milliards Dollar
Trump signs law
Highest budget for the US-Army
, tagesschau.de, 14.08.2018
The US-military defense budgets 716 milliards Dollar. President Trump signed the law of the highest budget of the past - and defends his plans for a space army.
https://www.tagesschau.de/ausland/trump-verteidigungshaushalt-103.html

From News&Links#NSA_GHCQ_&_Co.

"I never got belied like this!"
#34c3: The eavesdropping programs of the secret services
, netzpolitik.org, 01.29.2018
"I never got belied lke this", said Hans-Christian Ströbele about his work in the NSA-BND-investigation committee. In our talk with Constanze Kurz the politican from The Green party sums up the results of the parlametary investigation.
https://netzpolitik.org/2018/34c3-die-lauschprogramme-der-geheimdienste/

PRISM, "Tempora" und many bugging devices - How NSA spies out friends and enimies and its consequences, Reportagen von tagesschau.de 2013 bis dato

NSA & Co. - Disclosures by Edward Snowden, Cyberwar and unlimited spying - the surveillance scandal (reports from tagesschau.de 2013 und 2014)
PRISM, "Tempora" und many bugging devices - How NSA spies ot friends and enimies and their consequences for net, mobile systems, telephone, E-mail- and post, Tagesschau-chronique - please click here

"Five Eyes" - USA, Great Britain, Canada, Australia and New Zeeland
Dossier about the NSA-investigation committee
, netzpolitik.org, 03.01.2019
https://netzpolitik.org/nsa-untersuchungsausschuss/

From News&Links#Children

What experts make themselves great care about: Google has farmed robotter-babies, CHIP, 18.12.2017
It sounds like a screenplay from science-fiction-films. Google builds robotter, that are able to farm smaller scions. These baby-robotter are much more sly, work more effective and can change human life radically.
http://www.chip.de/news/Google-hat-Roboter-Babys-gezuechtet-Experten-machen-sich-Sorgen_128860357.html

Amazon gratulates user for their non-existant babies, PC-WELT.de, 09.21.2017
Numerous Amazon-user receipt messages for their non-existent baby-whish-list.
https://www.pcwelt.de/a/amazon-beglueckwuenscht-nutzer-zu-nicht-existenten-babys,3448175

Eyewitness right before drugs market store Rossmann MG: "Big cars overrun small children!"
Unknown passanger in the city of MG-Rheydt right before Rossmann, 05.30.2015 13.00 o´ clock, about 35 years old, has seen the unbelievable: "Big cars overrun small children!". They drive in high speed, they want fun and do not care much about the traffic.

New accident statistics
Scaring amount: In NRW each 81 minute a child is met with an accident
, FOCUS Online, 01.20.2017
http://www.focus.de/regional/videos/unfallbilanz-veroeffentlicht-erschreckende-zahlen-alle-81-minuten-verunglueckt-in-nrw-ein-kind_id_6676021.html

Unimaginable the imagination of parents about their small children at school burbling already about their attitudes and opinions...

Children-Tracking, digitalcourage.de, 09.09.2018
The BigBrotherAward 2012 in the category "communication" was given to the Cloud as a trend to deprive user the control about their data. Laudatio from Rena Tangens.
PM: "Satchel": New version presents not a solution, but a problem
The club for data protection and human righs Digitalcourage warns against the new versions of "satchel"-apps. Media told about city Ludwigsburg planning surface covering children-tracking in spite of critics from many sides. Digitalcourage postulates past Wolfsburg for Ludwigsburg to resign from children-tracking in elementary schools.
https://www.digitalcourage.de
https://digitalcourage.de/kinder-und-jugendliche

From News&Links#Alternatives

mdvmdv


intro

mdvmdv












Year 2010: All for the computer is done (only updating)!
Becaming already true: Computern without any risks:
Power-saving, mouseclick-fast all-in-one lifetime-hardware (quit)
  • (quit) for free
  • breathtaking mouseclick-fast already upon listed hardware from see under "data sheed" (immediately appearing graphics per mouseclick, fast graphics (* some intensive memory programs like browser and dolphin depending on the kernel version and RAM still might need a few seconds)). This is also a good indication for a tuned, fine working system with freeness from hacker and trojans and so on.
  • "Universal Linux 2010": of at least 8 MB RAM: We tested "Universal Linux 2010" out of kernel-4.19 (pclos, highly recommended, but our choice: 4.20.13, alternatively: kernel-4.18 (el8), kernel-4.9 (el6), kernel-2.32 (el6)); tls1.3 requires kernel >= 4.13, see https://www.security-insider.de/https-mit-tls-13-in-der-praxis-a-714096/), if functioning, mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)), glibc (el8: 2.28, pclos: the actual 2.31, mga6: 2.22, fc, for printers with 32-bit driver only like Brother install glibc (2.22, el6) too and relink and delete adequately in /lib), qt4 (el6) and KDE 4 as a mix out of kde (mdv2010.2, November 2011), kde (el6, actual patched, year 2018) and kde (4.4.4, OpenSuSE, 2013) glibc (mga6: 2.22) might not fullfill the requirements (dependencies) for fc >=29 except the packages (rpm) listed in the following: then a higher versioned glibc like glibc (pclos,fc) is needed !
    kernel-firmware (around 250 MB, OpenSuSE, slack 14.2, el6,...), kernel-firmware-extra
    If glibc (mga6, 2.22, pclos) is kept, el8, pclos (at this time 2.31), el7, el6 and ROSA (see our section Update "Universal Linux 2010") provide quit good alternatives to such high versioned Fedora Core (fc >= 29).

    If a 32-bit-printer-driver is used, keep the previous glibc for i586, just install glibc (pclos: 2.31 x86_64, el6, x86_64)!

    In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.


    After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".
  • without any breakdowns (stable hard- and software)
  • shock-proofed ( SSD )
  • break-in-protection (chassis intrusion detection, baby phone etc.)
  • standardized, scientific Open Source (code from project groups and software practica of universities)
  • self-repairing
  • surface covering software (client, server, all rubriques including 3D- und 2D-games, ...) and all already installed on harddisc
  • free from licence fees
  • free from all maintenance
  • free from virusses, worms, hacker, trojans, malware, adware, spyware, Meltdown and Spectre, pharming, spam, phishing, bots, tracking-scripts, cryptominers, driver-problems, ...
  • without need of playing doctor (without essential harddisc-scans and self-checks)
  • free from any password-hacks and -cracks by locked system and user accounts upon /sbin/nologin for the login-shell, by using (access-protected) key-files from harddisc for the
  • LUKS-encrypted partitions (except the LUKS-encrypted root-partition), common read/write/executable/suid/sgid/sticky-access-rights and ACL together with owner rights upon processes directories and files ( especially /usr/bin/su and /bin/su )
  • through special kernel-, boot- and mount options, pamd-Login
  • Start of X (X11, X-Windows) through options -nolisten tcp and -xauth, special "xhost-"-locks for other user
  • Kernel-Securty-Modules (grub-boot-option security): MAC (what is not needed anymore to achieve promised total security, it´s just for lovers): Mandatory Access Control (restricatable process interaction): AppArmor, Tomoyo (graphical support), SELinux, ...
  • All root owned processes except X (and mgetty/mingetty, if installed) are started by kthreadd and belong to the kernel
  • Hardened kernel (not essentially needed, it origins from Kernel-Security-Module secumod): grsecurity-patches, paxctld
  • communication and surfing without any tracks in the world wide web and internet (prconfigured through prefs.js resp. user.js, through firejail sandbox-protected
  • Firefox-ESR (Extended Security Release bzw. Pale Moon) with special extensions in private mode), with
  • Tor (Tor-Browser) even anonymized within one more own sandbox without the origin IP (anonymized computer-identifying number out of the ipv4-address-namespace) and even
  • DNS-Traffic is kept anonymous by TorDNS as the remote-host-DNS, while the most frequent DNS-queries get resolved local within /etc/hosts and persistently pdnsd within the harddisc-cache (/var/lib/cache/pdnsd/pdnsd.cache).
  • With Firejail many browser are running firejail´s suid-sandbox, processed under user "surfuser" of the group "surfgroup" resp. "toruser" and "torgroup" by
  • https/SSL/TLS (TLS2.0, TLS3.0) not hackable end-to-end-encrypted net-connections
  • free from Man-In-The-Middle-Attacks etc. and therefore (through Firewall Linfw3) without ICMP-, UDP- and IGMP-traffic and other communications (communication protocols): iptraf for example always shows an empty second field below the field with the TCP-connections) and so on
  • quit upgrade and update-free past year 2026 ( nahezu )
  • all partitons including the root-partition and USB-memory-sticks, temporary directories and SWAP-filei are encrypted (FSE: Full System Encryption by LUKS, OpenPGP forr E-mail and single directories and files)
  • Because of common read/write/executalbe-access-rights and ACL, directories and files remain free from read, write and execution for all user (except root), especially for the surfuser except oneself as the active user:

paranoid security without too many restrictions for the user!

With this system, be welcomed live on the daily update-channel https://www.pro-linux.de from year 2010 up to year 2026 and longer!

Described "Universal-Linux" also includes emulators for other operating systems (beneath boot manager grub for the multi-boot):
  • MS Windows 3.1, 95, 98, SE, ME, NT 4.0, NT 3.5, XP, 2003, Vista, Windows 2008, Windows 7, alles sowohl i686 (32 Bit) als auch x86_64 (64 Bit): Emulator wine (hauptsächlich), qemu oder xen), Virtualisierung: KVM (Kernel-Modul kvm-amd, kvm-intel mit libvirt, qemu-kvm, libvirt-client, libvirt-daemonsystem, bridge-utils, Virt-Manager, von Red Hat entwickelten und von Microsoft signierten Gerätetreiber ( Virt-IO-Driver )), Virtualbox, Vmware ( Einzelheiten zur Virtualisierung siehe z.B. https://www.pcwelt.de/ratgeber/Virtualisierung_unter_Linux-9988750.html )
  • MS DOS (dosemu)
  • Apple Macintosh (basiliskII), PowerMAC (SheepShaver)
  • Cisco 7200 and 3600 and Freescale Coldfire 5206 Emulator​ (dynamips)
  • Amiga (uae, fs-uae, e-uae, uade)
  • Atari ST, Atari 8 Bit Computer (hatari)
  • Commodore VC 64 (vice, micro64), Amstrad CPC (caprice32),
  • ZX Spectrum (fbzx), MSX (fmsx, openmsx), NeoGeo (gngeo), Dragon32, Dragon64 und Tandy CoCo (xroar), Minitel (xtel), Nintendo Gameboy (zboy), TI89(Ti)/92(+)/V200 emulator (tiemu3)​ 
  • Multi-System-Emulator (simh)
  • and many other computer operating systems.

Gooken internet search engine shows you on this website step by step (hook by hook), what has to be done for reaching this total IT-security for the computer!
You can enjoy hardened Linux booting from DVD, alternatively from USB-Stick:
"Tails Linux: The Anti-NSA-PC, 04.23.2014
Can NSA crack everything, even hardest encryption? Only a UNIX/Linux based System can achieve security, means one of the authors below. Edward Snowden knows more about this than other ones. In order to make communication really secure, he decided to install the Linux-Distribution Tails. CHIP shows the Anti-NSA-PC for free [...]. Fast and simple: Tails runs as hardened Debian Linux",
http://www.chip.de/artikel/Tails-Linux-installieren-Der-Anti-NSA-PC_63845971.html
Release anonymizing Linux-Distribution Tails 2.6 with Tor-Browser 6.0.5 from 09.23.2016)
http://www.pro-linux.de/news/1/23990/anonymisierungs-distribution-tails-26-mit-tor-browser-605-freigegeben.html

Edward Snowden also recommends a in his eyes secure Linux/UNIX-derivate on News&Links#Computer and News&Links#Alternatives and secure apps. But if the well-known referencial Computer-system resp. "Universal-Linux" we are going to introduce should ever not be such secure as it ought to be, the setting of the ro-option standing for read-only for the root-partition in /etc/fstab resp. /boot/grub/menu.lst (grub1, analogous grub2) past all the installing and updating can create a shoot-steadfast Linux even on harddrives doing its best.

Darknet-Browser Tor is ready for Android: You can surf complete anonymously with your handy, CHIP, 27.05.2019
The Tor-Browser is rated as a symbol for anonymes surfing in the internet and the easiest way into the Darknet. Now a ready version of the browser was provided in the Google Play Store. We show you, howto surf with this browser by upon your Android smartphone over the Tor-network.
https://www.chip.de/news/Darknet-Browser-Tor-fuer-Android-fertig-Am-Handy-komplett-anonym-surfen_148414180.html

Year 2016: Incredible high rubbish-hills of packages for not actual Linux-distributions are still provided by contributors like fr2.rpmfind.net and pbone.net. Most distribution versions can not be kept up-to-date, while the update-list from pro-linux.de is increasing day by day. Linux, comment from newsgroup alt.linux.suse, year 2003:

"I am so happy, that my linux run stable for the last 12 hours!".


Today:

Red Hat Enterprise Linux 7.1 receives extended security certifications, Pro-Linux, 14.12.2017
Without modification, Red Hat Enterprise Linux got certified for the "General-Purpose Operating System Protection Profile" (OSPP) 3.9. Now Red Hat Enterprise Linux can be used and applied in security-critical environments.
. https://www.pro-linux.de/news/1/25437/red-hat-enterprise-linux-71-erhält-erweiterte-sicherheitszertifikation.html

Date: 30.03.2011, thanks, we got it: [espeak -v en "] Secure, OKmouseclick-fast upon MS Windows 7 and Linux and all belonging Linux-games: (bohemian) 19 W power consumpting computer ASUS (mini) ITX-220 from year 2009/2010 with a socked, crasfree bios, onboard Intel-soundchip, onboard Atheros-LAN-Chip and -ROM and onboard INTEL graphics, AOC WLED-TFT less 18 Watt with more than one million working hours, all for about 200 €. Looking upon technical revisions and software-rpm-packet-changelogs one notices, the world gave its best: 2010 - (quit) everything has been made for computers - magic year of fast, ergonomic, powersaving hardware, year of Mandriva 2010, year of CentOS 6 ( DVD CentOS 6 (actual tenth-revision, with many updates and patches by Jonny Hughes, NY) for 4,95 € or for free out of the internet ) and the for the more than 50.000 next ten years (until year 2026) fixed and patched packet-versions of Fedora Project resp. the in a careful way resulting and ( Fedora Core (fc) - ) backported Enterprise Linux (el) resp. CentOS 6, where its IT-security raised up quit to maxium by concept with methods, configurations and updates we want to present here on this webside, so that computer-technique got solved (after a long, long time ...): error-free (total: since python-stablity-patch from year 2016), free from trojans, hacker, viruses, spyware, adware, everything. Day after day the amount of still missing software declined and you still have to keep the computer up to date sometimes by installing some updates. Up to that year, the paid prices for different Linux distributions can exceed even those of other operating systems. But now you won´t have any difficulties. Text to the illustration from the top, Build your final

OK
"UNIVERSAL COMPUTER with UNIVERSAL-LINUX"


consisting of up to 100 DVD a 4,4 GB full of rpm- and deb-packages (Debian) and many Tarballs from anywhere ON THE DAILY UPDATE-PATCH-CHANNEL (fc, el6/sl6) http://www.pro-linux.de/sicherheit/1/1/1.html) and belonging more Packages from pkgs.org, fr2.rpmfind.net and pbone.net. All kind of Linux-games run fine too.

Similar to Scientific Linux, "CentOS" stands for "Community Enterprise Operating System". It is based to 100% upon the source code of Red Hat Enterprise Linux. The only difference is, that commercial support is missing. Typical CentOS-user are organizations and private people aiming for a stable Enterprise-operating-system without the need of commercial support. The stable versions of CentOS are supported with (RPM-) acutualizations for ten years.
CentOS is a Linux-Distribution from Red Hat with the same source code like Red Hat Enterprise Linux. Since January 2014 CentOS belongs to Red Hat as a costly free alternative to Red Hat Enterprise Linux for all those, that do not need commercial support for Red Hat Enterprise Linux. Even no one guarantees, CentOS in fact is almost compatible with Red Hat Enterprise Linux.
https://www.pro-linux.de/news/1/27054/centos-8-benötigt-noch-etwas-zeit.html

What we are going to describe in the following:

No hacker, no virusses, no trojans, no malware, no ad- and no spyware, no ransomware, no dangerous scripts, rare resp. no left traces in the net, ..., nothing of it, and no kernel up from 2.6.39 (if stable) and not much root owned processes, that can affect the computer system anymore: use
  • command dd for secure working with the partitionwise restores and backups started from an encrypted rescue partition, usb-memory-stick or DVD like Knoppix together with cryptsetup (LUKS) installed,
  • ipables-based firewall linfw3,
  • port scan detection (psad, psd),
  • intrusion detection sysems (IDS)
  • the local dns-cache dnsmasq
  • and adblocker like our listing importing konqueror-adblocker and free useragent-settings and other extensions for your browser together with
  • sandbox firejail (pclos),
  • configure /etc/fstab for the declaration of the partitions and file systems, in our case ext4 under security aspects,
  • configure /etc/passwd for the blocking shells,
  • set owner- and access-rights,
  • ACL (setfacl/getfacl),
  • use MAC (apparmor, tomoyo) and
  • chattr upon UNIX/Linux-filesystems and follow the
  • configurations and methods introduced here on this webside to make security really possible! Profit from
  • end-to-end-encrypting TLS/SSL used by browser like Konqueror, Firefox, Firefox ESR resp. Tor-Browser (Firefox ESR) and
  • pgp/gpg- and TLS-based e-mail-clients like Thunderbird and/or Kmail, claws-mail with claws-mail-plugins, ...
  • all this upon a Luks/dm-crypt and dracut full encrypted computer-system (FSE), going sure also with a read-only set (and by dracut LUKS-encrypted) root-partition.


HOWTO: Either you install the version of an actual (new) Linux-distribution after the expiration of the updates for your installed one, we recommend Debian Linux resp. Ubuntu, SuSE Linux, Fedora, the in a careful way from Fedora resulting and backported CentOS (resp. RedHat), Rosa and Openmandriva, PCWelt: Ubuntu and Mint, or you install the covering and approved (and many, many TOP-games on the base of OpenGL and SDL including) el6, mdv2010.0 resp. mdv2011, mga1 up to mga3 or any rpm-distribution of the last decades from fr2.rpmfind.net and care for its updates. For mdv2010.0 you think of updating with the secure running autumn- and spring- updatening version mdv2010.1 and mdv2010.2 to mdv2010.2 (65 GB, around 15 DVD).

OKHow does this work? It´s easy (or it sound so): All you need for the next time in principle is "any" Linux-distribution from DVD/CD, USB-memory-stick or per download out of the internet etc., one that is named by PRO-Linux (http://www.pro-linux.de/1/1/sicherheit.html) withiin the hugh update-listing of the last ten, twenty years. Install this distribution following the self activating installation instructions onto an installation media (we recommend an at least 120 GB Solid State Disk (SSD with an at least 65 GB sized main- resp. root-partition and at least 2 GB SWAP-partition)) and eventually more single programms resp. packages with the help of an as much expressive packagemanger as possible. We recommend Debian Linux or a ( Fedora Core - ) backported and long-update-support guaranteeing Linux-Distribution (like RedHat resp. CentOS and Scientific Linux el6 and el7). Regardless from the amount of software resp. packages, this Linux-Distribution can be considered as a gear to the big UNIX/Linux- and its emulation-world of even more, we recommend actual UNIX-/Linux-distributions, actual updates and all kind of software and games. Emulation means, that with the help of emulators (like Wine for MS Windows) and virtual machines like Xen and Qemu software running upon other operating systems can be used too. Notice, that it is possible to install all software on the installation media at once without risking too much. The important thing is, that it is possisble to upgrade the Standard-GNU-C-library (glibc) of this distribution, so that the kernel of the LONGTERM-series out of kernel-3 and -4 can be upgraded too..

A securing 1:1 partioned media should not miss! Perform all security methods introduced in future point by point as soon as possible, as the installation is endangered extremely (by hacker and so on) with the very first built-up connection to the net!

quot;There is not much diffrence between the Linux-Distributions / Der Unterschied zwischen den Linux-Distributionen ist nicht sehr groß mit Ausnahme der Basisinstallation und der Paketverwaltung. Die meisten Distributionen beinhalten zum Großteil die gleichen Anwendungen. Der Hauptunterschied besteht in den Versionen dieser Programme, die mit der stabilen Veröffentlichung der Distribution ausgeliefert werden. Zum Beispiel sind der Kernel, Bind, Apache, OpenSSH, Xorg, gcc, zlib, etc. in allen Linux-Distributionen vorhanden."
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html

OKRight up from the very beginning - installing an OS like UNIX/Linux

... most already through installation media:

format -" partitioning -> format -> encryption (full system encryption, FSE) -> format -> installation (from extern media) -> configuration -> defragmentation (not essential for many UNIX/Linux file systems) -> encryption (full system encryption, FSE) -> (backup with dd and) actualization -> configuration -> (backup with dd and) actualization ( ... notice total time needed: ? )

Alternatively: Some nice "guy" or so does many things for you by mirroring almost completed system from his onto your own media (SSD (sdx), harddisc (S-ATA: sdx, IDE: hdx, CD-/DVD, USB-memory stick, ...). This can save plenty of time (look out for the right processor architecture (x86_64, i686, ...) and set /etc/X11/xorg.conf for the next time to vesa or fb)! Do this mirroring with a command like: "dd if=/dev/sda of=/dev/sdb"

Used editor in the following: nano

First this webside introduces some configurations, followed by actualization, partitioning, encryption during the introduction of basic shell-commands.

OKMounting partitions the right way
When mounting an Ext file system (ext2, ext3 or ext4), there are several additional options you can apply to the mount call or to /etc/fstab. For instance, this is my fstab entry for the /tmp partition:

/dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2

You see the difference in the options sections. The option nosuid ignores the setuid and setgid bits completely, while noexec forbids execution of any program on that mount point, and nodev ignores device files. This sounds great, but it:

only applies to ext2 or ext3 file systems

can be circumvented easily

The noexec option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel:

alex@joker:/tmp# mount | grep tmp
/dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)
alex@joker:/tmp# ./date
bash: ./date: Permission denied
alex@joker:/tmp# /lib/ld-linux.so.2 ./date
Sun Dec 3 17:49:23 CET 2000

Newer versions of the kernel do however handle the noexec flag properly:

angrist:/tmp# mount | grep /tmp
/dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)
angrist:/tmp# ./date
bash: ./tmp: Permission denied
angrist:/tmp# /lib/ld-linux.so.2 ./date
./date: error while loading shared libraries: ./date: failed to map segment
from shared object: Operation not permitted

However, many script kiddies have exploits which try to create and execute files in /tmp. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in /tmp e.g. when /tmp is accidentally added into the local PATH.

Also be forewarned, some script might depend on /tmp being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see Bug 116448.

The following is a more thorough example. A note, though: /var could be set noexec, but some software [21] keeps its programs under in /var. The same applies to the nosuid option.

/dev/sda6 /usr ext3 defaults,ro,nodev 0 2
/dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2
/dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2
/dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2
/dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2
/dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2
/dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2
/dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2
/dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0
/dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0
/dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

OKPostfix - shorten information


/etc/postifx/main.cf

smtpd_banner = DOLLARSIGNmyhostname ESMTP DOLLARSIGNmail_name (FreeBSD/GNU)

... that means without version number and eventually with a new operating system name.
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html

OKdbus (messagebus): Secure up single service-files
dbus of many versions does make mistakes from time to time, by removing single service-files out of /usr/share/dbus-1/services and /usr/share/dbus-1/system-services from time to time without being allowed.
Therefore all service-files should be backuped in any backup-directory.

Exchange "Exec=kded" into "Exec=kded4"
nano /usr/share/dbus-1/services/org.kde.kded.service
[D-BUS Service]
Name=org.kde.kded
Exec=/usr/bin/kded4

OKJust update by the kernel-binary (kernel-...rpm) or configure, patch and compile the kernel-source (kernel-...rpm.src)
We assume, that any rpm-based Linux-Distribution is already installed on a storage media like harddisc. Our section for updates refers to RedHat, CentOS oder Scientific Linux, Fedora Core, PCLinuxOS, ROSA, Mageia oder Mandriva.
How to configure, patch and compile kernel-sources: Download and install all binary rpm required for the kernel. Then download, install or enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package", rpm on the kernel-source-rpm or file-roller. A new directory named "linux-kernelversion-xxx" or "kernel-source-xxx" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-xxx linux" resp. "ln -sf kernel-source-xxx linux".
Change into this directory linux resp. linux-xxx resp. kernel-source-xxxx and call "menu oldconfig".. A file .config is created to configure the kernel.
Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from.
For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel (pclos, rosa2016.1, el8, el7) and kernel-desktop (mdv2011) but not kernel (el6):

Generally, the security level of software is not only presented by stability, but also by the freeness of errors and warnings during the compilation of their source codes listed by the compiler. Kernel-2.6.32 (el6) consists of many of them and some of them are caused by kmem.h, while the quit restless error-free (only a few small patches 2012-2016 inclusive dirty-cow are known!) kernel-2.6.39.4-5.1 (mdv2011) runs error-free on our system without any warnings during the compilation time of around four hours! This is the best sign for good and secure running code. The only thing remaining is to patch with the dirty-cow-patch in mm.h and memory.c.

http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/

Kernel: We recommend kernel 4 (we chose 4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos)), but do describe 2.6.39.4-5 now (also running on some playstations and so on) patched up to date by sources (containing the dirty-cow-patch in main), consisting of less compilation warning and no errors than 2.6.32 (el6). This mdv-kernel is described from patch-sources like http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/, kernel itself from http://fr2.rpmfind.net/linux/kernel/v2.6/linux-2.6.39.4.tar.xz: kernel-desktop (mdv2011): glibc (pclos, mga6), module-init-tools (we recommend mdv2011, but you can also use el6, up to 3.16; append ".conf" to all files in /etc/modules.d; module-init-tools (mdv2011) never makes trouble with it), coreutils (el6), initscripts (mdv2011, pclos and el6 as depecited below), util-linux (mdv2011 or el6 except /bin/mount, /bin/mount and /lib64/libmount* you have to delete after enpacking the rpm (not installing!) and copying its include), kernel-firmware (pclos, slack14.2 with more than 250 MB unpacked, mga6, el6), if you want plus kernel-firmware (OpenSuSE 42.1, 32 MB) plus kernel-firmware (OpenSuSE 13.2) plus linux-firmware (fc27, 35 MB) plus kernel-firmware-extra (pclos, rosa2014.1), kernel-headers (el6), kernel-doc (el6), ksymoops (OpenSuSE 12.2, mdv2011), coreutils (el6), coreutils-libs (el6), binutils (fc25, el6), nss (el7, el6, fc30), nss-softokn (el7, el6, fc30), nss-sysinit (el7, el6, fc30) und nss-softokn-freebl (el7, el6, fc30), nss-util (el7, el6, fc30), nss-tools (el7, el6, fc30) .
glibc (el8: 2.28, pclos: the actual 2.31, mga6: 2.22, fc, for printers with 32-bit driver only like Brother install glibc (2.22, el6) too and relink and delete adequately in /lib),

In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.

All patches for 2.6.39.4-5.1 until now are available in the internet from http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/.
compiler-gcc5, add-timesys-bootlogo, dirty-cow, lantronix-ts1, no-setlocalversion, no-unused-but-set-variable, revert-nfsroot, timeconst.pl-eliminate-perl-warning, ltrx-image-rom and yaffs2.

Patch: patch (el6, fc27, mdv2010.1) has to be installed. Then type "patch -p1 < ../patchname.patch "

But at first do the following:

Actual Kernel: how to install a patched kernel-source: A lot of freed partition (memory) is required, maybe plenty of Gigabyte. Download and install all binary rpm required for the kernel. Then download and enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package" or file-roller.

Two possibilites:
1) building a kernel-rpm out of the sources after applying the patches: Configure the spec-file of the installed source-rpm by adding or commenting in and out the patches to build a new binary kernel-rpm to install or update: https://www.howtoforge.de/anleitung/wie-man-einen-kernel-kompiliert-auf-fedora/. For CentOS and mdv depending on the package manager use command "rpm -ba" instead of "rpmbuild -ba" kernel-xxx.spec to create the binary..
2) Configure the sources and compile them:
A new directory named "linux-kernelversion" or "kernel-source-kernelversion" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-kernelversion linux" resp. "ln -sf kernel-source-kernelversion linux".
Change into this directory linux resp. linux-kernelversion resp. kernel-source-xxxx and call "menu oldconfig". A file .config is created to configure the kernel. Copy .config to include/config/auto.conf

If you do not know, what to enable or not, choose MM
(M) or (CC) to load as a module wherever possible,
(A) or (CC MM) auto-load the module or
(-): resign from the module.

Example (module extraction of kernel-2.6.39-40.src.rpm)


General Preparation of Linux, kernel-2.6.39-40.src.rpm

In order to take a firewall in use, kernel support for iptables and modules should be enabled.
Open a konsole and enter one of the statements
make menuconfig for the Dialog-GUI,
male xconfig for tk-GUI or
make gconfig with GTK or
make config


Choose kernel options within

Networking options --->
[*] Network packet filtering (replaces ipchains)
IP: Netfilter Configuration --->
.
(M) Userspace queueing via NETLINK (EXPERIMENTAL)
(M) IP tables support (required for filtering/masq/NAT)
(M) limit match support
(M) MAC address match support
(M) netfilter MARK match support
(M) Multiple port match support

(M) TOS match support
(M) Connection state match support
(M) Unclean match support (EXPERIMENTAL)
(M) Owner match support (EXPERIMENTAL)
(M) Packet filtering
(M) REJECT target support
(M) MIRROR target support (EXPERIMENTAL)
.
(M) Packet mangling
(M) TOS target support
(M) MARK target support
(M) LOG target support
(M) ipchains (2.2-style) support
(M) ipfwadm (2.0-style) support

think of other options (modules), store this configuration.

Before iptables can be used, the kernel module netfilter for the support of iptables has to be loaded e.g. by the statement modprobe:
# modprobe ip_tables

kernel-firmware (binary blobs within /lib/firmware, rpm kernel-firmware (around 250 MB) and/or kernel-firmware-extra ):

For kernels before 4.18:
KERNEL Enable support for Linux firmware

Device Drivers --->
Generic Driver Options --->
-*- Userspace firmware loading support
[*] Include in-kernel firmware blobs in kernel binary
(/lib/firmware) Firmware blobs root directory

For kernels beginning with 4.18:
KERNEL Enable support for Linux firmware

Device Drivers --->
Generic Driver Options --->
Firmware loader --->
-*- Firmware loading facility
() Build named firmware blobs into the kernel binary
(/lib/firmware) Firmware blobs root directory

Type "make dep && make clean && make mrproper" .

Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from, or for a pregiven configuration type "make oldconfig".

For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel-desktop (mdv2011) but not kernel (el6):
within the first item "General Setup"enable "Initial-RAM-filesystem and RAM-disk-support"and in "general drivers" enable the option "Maintain a devtmpfs at /dev/ with subitem "automount devtmpfs at /dev, after the kernel mounted the rootfs".
If you do not know, what to enable or not, choose MM to load as a module wherever possible.
Save the new .config.
Set the Kernel-Version at the top of the makefile.
Three possibilites, after the patching of the source-code like the dirty-cow-patch:
patch -p1 < ../any_patch.patch
apply all other patches in this way
make -i rpm (to create the binary kernel-rpm package, what endures on our system for around four hours)
make all # or
make dep (dependency properties to establish the relationship)
make clean (to remove the old data)
make bzImage (to create its core vmlinuz for /boot only after renaming the created file bzImage: time needed: around 30 minutes) or
make bzImage &,& make modules && make modules_install for the installation of the kernel-modules too.
Copy the bzImage to /boot, rename it to vmlinuz-kernelversion.
Use mkinitrd resp. in the case of FSE (Full Disk Encryption resp. encrypted root-partition) dracut to create the initrd resp. initramfs within directory /boot. If dracut does not work anymore ex. as a cause of updates, rename the new-kernel-version to the old-kernel-version in Makefile and make bzImage once again.
If you use grub as the bootloader and not grub2 and the configufile is still not configured for the new kernel, do this by editing /boot/grub/menu.lst and exchanging the vmlinuz-kernel-versions. If a new initramfs or initrd is created, enter them in the line for initrd.
done.

OKInstallation guide and for tuning Linux secure: https://wiki.kairaven.de/open/os/linux/tuxsectune and https://wiki.centos.org/HowTos/OS_Protection ( in our example related to mdv2010.2 or CentOS 6 el6 with many patches/updates by Jonny Hughes, NY ). Be careful, for example with the exchange of the password-encryption from md5 to sha256 or sha512 and the /etc/system-auth. Make backup or copies!

Through "about:config" many URL can be removed out of the listing after typing in "http".

OKUsing Compile-time-Hardening-Options
Several compile-time options (detailed below) can be used to help harden a resulting binary against memory corruption attacks or provide additional warning messages during compiles. Using "dpkg-buildflags" is the recommended way to incorporate the build flags in Debian.
See ReleaseGoals/SecurityHardeningBuildFlags for additional information, https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags.
For a step-by-step guide, see the HardeningWalkthrough, https://wiki.debian.org/HardeningWalkthrough.
Source: https://wiki.debian.org/Hardening
Fedora/CentOS etc: https://fedoraproject.org/wiki/Changes/Harden_All_Packages

OKListing: Linux-Security-Updates up from year 2000, PRO-LINUX.de
... of the most important distributions with naming the closed error, bug resp. exploit
https://www.pro-linux.de/sicherheit/1/1/1.html

OKRecent LWN.net security pages
Here are the most recent LWN.net security pages, with a comprehensive roundup of a week´s worth security-related information.


Date Contents
Apr 12, 2017 Network security in the microservice environment; Two Project Zero reports; ..
. Apr 05, 2017 ARM pointer authentication; Quotes; Exploiting Broadcom WiFi; ...
Mar 29, 2017 refcount_t meets the network stack; Quotes; ...
Mar 22, 2017 Inline encryption support for block devices; Shim review; ..
. Mar 15, 2017 A kernel TEE party; Quotes; Struts 2 vulnerability; ...
Mar 08, 2017 A new process for CVE assignment; Smart TV bugging quotes; Threat modeling ...
Mar 01, 2017 The case of the prematurely freed SKB; SHA-1 collision and fallout; ...
Feb 22, 2017 The case against password hashers; New vulnerabilities in dropbear, kernel, nagios-core, qemu, ...
Feb 15, 2017 A look at password managers; New vulnerabilities in kernel, libevent, mysql, php, ...
Feb 08, 2017 Reliably generating good passwords; New vulnerabilities in epiphany, graphicsmagick, gstreamer (and plugins), spice, ...
Feb 01, 2017 The Internet of scary things; New vulnerabilities in ansible, chromium, kernel, mozilla, ...
Jan 25, 2017 Security training for everyone; New vulnerabilities in fedmsg, firejail, java, systemd, ...
Jan 18, 2017 Ansible and CVE-2016-9587; New vulnerabilities in bind, docker, qemu, webkit2gtk, ...
Jan 11, 2017 SipHash in the kernel; New vulnerabilities in kernel, kopete, syncthing, webkit2gtk, ...
Jan 04, 2017 Fuzzing open source; New vulnerabilities in bash, httpd, kernel, openssh, ...
Dec 22, 2016 OWASP ModSecurity Core Rule Set 3.0; New vulnerabilities in apport, kernel, libupnp, samba, ...
Dec 14, 2016 ModSecurity for web-application firewalls; New vulnerabilities in jasper, kernel, mozilla, roundcube, ...
Dec 07, 2016 Locking down module parameters; New vulnerabilities in chromium, firefox, kernel, xen, ...
Nov 30, 2016 Django debates user tracking; New vulnerabilities in drupal, firefox, kernel, ntp, ...
Nov 16, 2016 Reference-count protection in the kernel; New vulnerabilities in chromium, firefox, kernel, sudo, ...
https://lwn.net/Security/

OKSetting /usr read-only for the separate usr-partition
If you set /usr read-only (in /etc/fstab), you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. apt can be configured to run commands before and after installing packages, so you might want to configure it properly.
To do this modify /etc/apt/apt.conf and add:

DPkg
{
Pre-Invoke { "mount /usr -o remount,rw" };
Post-Invoke { "mount /usr -o remount,ro" };
};

Note that the Post-Invoke may fail with a "/usr busy" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running

# lsof +L1

Stop or restart these programs and run the Post-Invoke manually. Beware! This means you´ll likely need to restart your X session (if you´re running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only /usr is suitable for your system ( and please notice, that this might not be recommended, if there is an encrypted root-partition), see also this discussion on debian-devel about read-only /usr.
We are going to encrypt even more the complete system (FSE) by reliable LUKS, including the complete root- and home-partition (and USB-media) to set partitions unwriteable to read-only. Notice, that this does not exclude the same for a separate usr-partition.

OK/etc/pam.d/system-auth ( tested just on our platform and system ):

#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account sufficient pam_tcb.so shadow
account required pam_deny.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_tally2.so per_user
password required pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=1 ucredit=0
password sufficient pam_unix.so try_first_pass use_authtok sha512 shadow remember=2
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so


More about pam-modules:
http://www.linuxdevcenter.com/pub/a/linux/2001/09/27/pamintro.html?page=2
https://linux.die.net/man/5/pam.d

OKOne more things with PAM:
Use encryption other than DES for your passwords (making them harder to brute-force decode).
Set resource limits on all your users so they can´t perform denial-of-service attacks (number of processes, amount of memory, etc).
Enable shadow passwords (see below) on the fly.
Allow specific users to login only at specific times from specific places.
Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user´s home directories by adding these lines to /etc/pam.d/rlogin:

#
# Disable rsh / rlogin / rexec for users
#
login auth required pam_rhosts_auth.so no_rhosts

Quelle: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698

OKAccount locking
While having strong passwords in place for user accounts can help thwart brute force attacks as mentioned previously in point 18 - Enforce strong passwords, this is only one way of slowing down this type of attack. A good indication of brute force attack is a user account that has failed to log in successfully multiple times within a short period of time, these sorts of actions should be blocked and reported. We can block these attacks by automatically locking out the account, either at the directory if in use or locally.

The pam_tally2.so PAM module can be used to lock out local accounts after a set number of failures. To get this working I have added the below line to the /etc/pam.d/password-auth file.

auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200

This will log all failures to the /var/log/tallylog file and lock out an account after 3 consecutive failures. By default it will not deny the root account however we can also lock out root by specifying even_deny_root (though this may not be required if you have disabled root access as per point 3 - Disable remote root access and point 4 - Disable root console access). The unlock time is the amount of seconds after a failed login attempt that an account will automatically unlock and become available again.

Failed logins can be viewed as below, to view all failures simply remove the --user flag.

[[email protected] ~]# pam_tally2 --user=bob Login Failures Latest failure From bob 4 08/21/15 19:38:23 localhost

The failure count can be manually reset by appending -reset onto this command.

pam_tally2 --user=bob --reset

If a login is successful before the limit has been reached the failure count will reset to 0. For more details see the pam_tally2 manual page by typing ´man pam_tally2´.

It´s worth noting that the manual page advises to configure this with the /etc/pam.d/login file, however I found that under CentOS 7 this did not work and needed to use the /etc/pam.d/password-auth file instead. I also tried using /etc/pam.d/system-auth which I found documented elsewhere but this also failed, so this may differ based on your operating system.

You can also manually lock and unlock local user accounts rather than waiting for the failure limit to be reached.
Lock the user account ‘bob´.https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/#4
Quelle: https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/

OKpam_tcb.so: Migrating from shadow passwords to tcb in Linux
For a more secure Linux password system, a migration from shadow passwords to tcb is worth a little extra work. Vincent Danen tells you what you need to recompile and patch.Wechsel von shadow-Passwörtern nach tcb in Linux.
"Shadow passwords have been a de facto standard with Linux distributions for years, and as well as the use of md5 passwords. However, there are drawbacks to using the traditional shadow password method, and even md5 is not as secure as it used to be. One drawback to the shadow password file is that any application that requires looking up a single shadow password (i.e., your password) also can look at everyone else´s shadow passwords, which means that any compromised tool that can read the shadow file will be able to obtain everyone´s shadow password."

Install pam_tcb (like pam_tcb(pclos) and other pam-module-rpm). If the encryption should be blowfish, install the package bcrypt.

Source and howto: https://www.techrepublic.com/article/migrating-from-shadow-passwords-to-tcb-in-linux/
alternatively: Migrating to tcb, http://www.opennet.ru/man.shtml?topic=tcb_convert&category=8&russian=2

After performing the howto (but still resigning from blowfish and the deletion of the shadow-files), our modified /etc/pam.d/system-auth has got the include:

#%PAM-1.0
auth optional pam-mount.so try_first_pass
auth required pam_env.so
auth sufficient pam_tcb.so
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_tally2.so deny=3 onerr=fail unlock_time=1200
account sufficient pam_tcb.so
account required pam_deny.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_tally2.so per_user
password required pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=1 ucredit=1
password sufficient pam_tcb.so use_authtok tcb write_to=tcb
password required pam_deny.so
session optional pam_mount.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_tcb.so


and /etc/pam.d/password-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200
auth sufficient pam_tcb.so shadow fork prefix=DOLLARSIGN2aDOLLARSIGN count=8
auth required pam_deny.so
account required pam_tcb.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_tcb.so try_first_pass use_authtok sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_tcb.so


with /etc/nsswitch.conf
shadow: compat +user +root +surfuser +toruser -anonymous -bin -daemon -uuidd -rtkit -sync -mail -news -avahi -haldaemon -ALL tcb
You should try the originally meant "shadow: tcb nisplus nis" instead and set hosts to "hosts: files ... dns ..." into this recommended order.
and with pam_tcb.so for all pam_unix.so in /etc/pam.d/*
This all makes the computer once more mouseclick-fast and secure.

OKDisable Root Console Access
The previous step disables remote access for the root account, however it will still be possible for root to log in through any console device. Depending on the security of your console access you may wish to leave root access in place, otherwise it can be removed by clearing the /etc/securetty file as shown below.

echo > /etc/securetty

This file lists all devices that root is allowed to login to, the file must exist otherwise root will be allowed access through any communication device available whether that be console or other.

With no devices listed in this file root access has been disabled. It is important to note that this does not prevent root from logging in remotely with SSH for instance, that must be disabled as outlined in point 3 - Disable remote root access above.

Access to the console itself should also be secured, a physical console can be protected by the information covered in point 13 - Physical security.

https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/

OKLimited amount of processes, source. Arch Linux
On systems with many or untrusted users, it is important to limit the number of processes each can run at once, therefore preventing fork bombs and other denial of service attacks. /etc/security/limits.conf determines how many processes each user, or group can have open, and is empty (except for useful comments) by default. adding the following lines to this file will limit all users to 100 active processes, unless they use the prlimit command to explicitly raise their maximum to 200 for that session. These values can be changed according to the appropriate number of processes a user should have running, or the hardware of the box you are administrating. Do not set the limit too low. System can malfunction.

* soft nproc 300
* hard nporc 320
# user soft nproc 200
# user hard nproc 250
# surfuser soft nproc 60
# surfuser hard nporc 80
toruser soft nproc 80
toruser hard nporc 100


OKlibrepository (el6), libsafec-check (fc30, fc29): Finds unsafe APIs This once more makes computer mouseclick-fast!

OKBastille, msec, rkhunter, chkrootkit, clamav (clamscan, klamav), maldetect, checksec, seccheck, xsysinfo, smartd, nessus, tkcvs and cervisia, ...
At this place think of programs like bastille and msec (rosa2016.1, rosa2014.1) to check out lacks in system security, before going on with the manual configuration hook by hook. Such programs with own graphical frontends resp. wizards protocol lacks in security and are able to automatically reconfigure the system even more secure.

OKTwo-Factor-Authentification
Two factor authentication can be implemented for SSH access or other application login, it will improve login security by adding a second factor of authentication, that is the password is typically known as something you know, while the second factor may be a physical security token or mobile device which acts as something you have. The combination of something you know and something you have ensures that you are more likely who you say you are.

There are custom applications available for this such as Duo Securityand Google Authenticator as well as many others. These typically involve installing an application on a smart phone and then entering the generated code alongside your username and password when you authenticate.
Google Authenticator can be used for many other applications than just SSH, such as for WordPress login with third party plugin support.
https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/

... can´t believe it, remark by Gooken:

As executed programs (processes), think of text processing and terminal, do already exist in the RAM...

All INTEL-CPU-generations since Celeron
"We can read out everything!", tagesschau.de, 04.01.2017
As a consequence of a newspaper-report scientific researches from the Technical University Graz exposed the newest security-exploit in many computer processors. "We were shocked ourself, that this functions", said Michael Schwarz from TU Graz to "Tagesspiegel".
By this exploit all data could be read out, that are in actual process by the computer. "In Principle we could read out all actually entered by the keyboard." Attackers could also get data from Onlinebanking or stored passwords. "Therefore they must intrude into the computer", Schwarz restricted.

Serious hard lack in security in all Intel-CPUs, PC-WELT, 03.01.2018
A serious hard lack was found in Intel-processors of the last 10 years (excpet the one introduced by us in our data-sheed, rem., Gooken). Its closure costs performance.
https://www.pcwelt.de/a/schwere-luecke-in-allen-intel-cpus-entdeckt,3449263
OKWhat to do:
Data sheed: Plattform: ITX-220: is not listed in the table for exploited mainboards by Intel (1) and an exploit remaind undetected as the helping-tool for belonging system-analyzes from Intel indicated (intel-sa00086.zip for Linux) (2). Result: Modul MEI (2) can not be found (this module can be integrated by the command "modprobe mei" manually or within /etc/modules each boot or dracut right up from the system-start).

Is there a workaround/fix?

- There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre, https://meltdownattack.com/
- iucode-tool (pclos2018)
OK- CPU: mouseclick-fast and secure: microcode_ctl ( do not get irritated by any other versions, install fast working (microcode_ctl-1.17-33.23.el6_10.x86_64.rpm, fc29: 2.1-34, rosa2016.1) upon el6 ) or ucode-intel ( OpenSuSE, >= 20190618-lp151.2.3.1.x86_64.rpm ), against ZombieLoad too (in order to get activated by console), we recommend the mouseclick-fast microcode_ctl (rosa2016.1), upon microcode_ctl (el6, rpm -i --force). Take the fastest actual microcode_ctl like microcode_ctl-1.17-33.23.el6_10.x86_64.rpm, fc29, rosa2016.1. In order to use microcode_ctl, flash the CPU by executing the command "microcode_ctl -Qu" each boot after entering it in /etc/rc.local or out of /usr/share/autostart. If it is not booted, the CPU will work upon its initial (default) microcode again.


Howto start microcode_ctl, for example add into /etc/rc.local:

echo 1 > /sys/devices/system/cpu/microcode/reload sh /usr/libexec/microcode_ctl/reload_microcode
or
start microcode_ctl automatically each boot by belonging udev-rule (number 83).

Changelog microcode_ctl
* Fr Dez 15 2017 Petr Oros poros@redhat.com - 1:1.17-25.2
- Update Intel CPU microde for 06-3f-02, 06-4f-01 and 06-55-04
- Add amd microcode_amd_fam17h.bin data file
- Resolves: #1527357
- Intel: Tools for ME-security-exploits, 24.11.2017, https://www.pro-linux.de/news/1/25369/intel-werkzeug-f%C3%BCr-me-sicherheitsl%C3%BCcken-vorgestellt.html
- kernel-4.20.13 with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and the reintegrated KPTI-/KAISER-patch
- "modprobe mei" or start or stop the load of module mei in /etc/modules by entering resp. removing the line "mei" MEI in this matter was mentionded in Intel-security-checks as one part of the main risk.


After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".

- Update Firefox to 57.0.4 resp. 52.5.3-ESR (OpenSuSE) - Security fixes to address the Meltdown and Spectre timing attacks - https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ - Require new nss 3.34 (fixed rhbz#1531031) - Disabled ARM on all Fedoras due to rhbz#1523912
- Nvidia vs. Spectre: New Nvidia-drivers protect against Spectre-CPU-attacks, https://www.pcwelt.de/a/neue-nvidia-treiber-schuetzen-vor-spectre-cpu-attacken,3449339 NVIDIA graphics drivers (USN-3521-1, https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown?_ga=2.181440484.2145149635.1515760095-1741249263.1499327986)
- Webkitgtk+ (USN-3530-1)
- QEMU (USN-3560-1)
- libvirt (USN-3561-1)
- Cloud Images: Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for https://cloud-images.ubuntu.com from for the following releases: ...

OKBeneath microcode_ctl (rosa2016.1, el6) look out for actual kernel-firmware (el6) and kernel-headers (el6) too. Take those from year2020, making it all mouseclick-fast !

niue-muenzenFirewall Linfw3 against Meltdown and Spectre: Set group "nobody" for the group of surfuser (with primary group nobody) and only allow surfuser with one more group of surfuser named surfgroup for example (instead of nobody) to go online. Linfw3 is able to block even root (UID: root, 0, GID: root, 0). So noone is allowed to go online through Linfw3 else surfuser with group surfgroup (instead of his primary group "nobody"), what prevents device drivers from exchaning data - as in this case caused by Meltdown and Spectre To go paranoid, to make it even more confusing for kernel and CPU, set all directories and files owned by surfuser to it´s primary group "nobody".

Test, if the system is secure now, protected well against Meltdown and Spectre, type into terminal the command:

head /sys/devices/system/cpu/vulnerabilities/*

You can update the kernel, if not.
https://www.pcwelt.de/tipps/CPU-Sicher-vor-Meltdown-Spectre-und-Co-10593390.html

OKIntegrate sensors and chips from mainboard:
Paket lm_sensors (pclos)
sensors-detect
modprobe for found modules: enter them into /etc/modules ( for ITX-220: it87, coretemp, i2c-dev, mei)
Notice: It might be mouseclick-fast and more seucre not to enter them into /etc/modules.
LAN-Chip: eventually activate it through CMOS-BIOS-Setup (default: inactive)

OKLogging off idle users
Idle users are usually a security problem, a user might be idle maybe because he´s out to lunch or because a remote connection hung and was not re-established. For whatever the reason, idle users might lead to a compromise:

because the user´s console might be unlocked and can be accessed by an intruder.

because an attacker might be able to re-attach to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of telnet).

Some remote systems have even been compromised through an idle (and detached) screen.

Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this:

If bash is the user shell, a system administrator can set a default TMOUT value (see bash(1)) which will make the shell automatically log off remote idle users. Note that it must be set with the -o option or users will be able to change (or unset) it.

Install timeoutd and configure /etc/timeouts according to your local security policy. The daemon will watch for idle users and time out their shells accordingly.

Install autolog and configure it to remove idle users.

The timeoutd or autolog daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell.

Linux: TMOUT To Automatically Log Users Out
last updated May 18, 2011 in Categories BASH Shell, Linux

How do I auto Logout my shell user in Linux after certain minutes of inactivity?
Linux bash shell allows you to define the TMOUT environment variable. Set TMOUT to automatically log users out after a period of inactivity. The value is defined in seconds. For example,

export TMOUT=120

The above command will implement a 2 minute idle time-out for the default /bin/bash shell. You can edit your ~/.bash_profile or /etc/profile file as follows to define a 5 minute idle time out:

# set a 5 min timeout policy for bash shell
TMOUT=300
readonly TMOUT
export TMOUT

Save and close the file. The readonly command is used to make variables and functions readonly i.e. you user cannot change the value of variable called TMOUT.
How Do I Disable TMOUT?

To disable auto-logout, just set the TMOUT to zero or unset it as follows:
DOLLARSIGN export TMOUT=0

or

DOLLARSIGN unset TMOUT

Please note that readonly variable can only be disabled by root in /etc/profile or ~/.bash_profile
https://www.cyberciti.biz/faq/linux-tmout-shell-autologout-variable/

Or assign a value for SHELL_TIMEOUT (TMOUT) in /etc/security/msec/level.secure
SHELL_TIMEOUT=300

OKRestricting access to kernel pointers in the proc filesystem, source: Arch Linux
Note: linux-hardened sets kptr_restrict=2 by default rather than 0.
Enabling kernel.kptr_restrict will hide kernel symbol addresses in /proc/kallsyms from regular users without CAP_SYSLOG, making it more difficult for kernel exploits to resolve addresses/symbols dynamically. This will not help that much on a pre-compiled Arch Linux kernel, since a determined attacker could just download the kernel package and get the symbols manually from there, but if you´re compiling your own kernel, this can help mitigating local root exploits. This will break some perf commands when used by non-root users (but many perf features require root access anyway). See FS#34323 for more information.
/etc/sysctl.d/50-kptr-restrict.conf
kernel.kptr_restrict = 1

OKNext point fstab-Option hidepid for proc from source Arch Linux should be applied once more at your own risk:
hidepid
"Warning: This may cause issues for certain applications like an application running in a sandbox and Xorg.
. The kernel has the ability to hide other user-processes, normally accessible via /proc, from unprivileged users by mounting the proc filesystem with the hidepid= and gid= options documented here.
This greatly complicates an intruder´s task of gathering information about running processes, whether some daemon runs with elevated privileges, whether other user runs some sensitive program, whether other users run any program at all, makes it impossible to learn whether any user runs a specific program (given the program doesn´t reveal itself by its behaviour), and, as an additional bonus, poorly written programs passing sensitive information via program arguments are now protected against local eavesdroppers.
The proc group, provided by the filesystem package, acts as a whitelist of users authorized to learn other users´ process information. If users or services need access to /proc/ directories beyond their own, add them to the group.
For example, to hide process information from other users except those in the proc group:
/etc/fstab
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0 "

In the following and therefore just for our paranoid view, only some more security-points, now from debian.org, https://www.debian.org/doc/manuals/securing-debian-howto/ch1.en.html up to https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html, might interest like:

OKChoose a BIOS password
Before you install any operating system on your computer, set up a BIOS password. After installation (once you have enabled bootup from the hard disk) you should go back to the BIOS and change the boot sequence to disable booting from floppy, CD-ROM and other devices that shouldn´t boot. Otherwise a cracker only needs physical access and a boot disk to access your entire system.
Disabling booting unless a password is supplied is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.
Note: many BIOSes have well known default master passwords, and applications also exist to retrieve the passwords from the BIOS. Corollary: don´t depend on this measure to secure console access to system.
Set

- Supervisor Password
- User Access Level from Full Access, View Only or Limited to No Access - this prevents user acsess onto the BIOS-Setup-Utility, so that no changes of the settings are possible anymore. Now the BIOS is protected.
- User Password
- Password Check from (only for BIOS-)Setup to Always

OKTurn Off IPv6
If you´re not using a IPv6 protocol, then you should disable it because most of the applications or policies not required IPv6 protocol and currently it doesn´t required on the server. Go to network configuration file and add followings lines to disable it.

nano /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no

https://www.tecmint.com/linux-server-hardening-security-tips/

Boot-process: If the message "Can not stat ( a named ) initscript" occurs during system boot, delete this initscript through all six runlevel and in directory init.d by
rm -df /etc/rc0.d/initscript-name
rm -df /etc/rc1.d/initscript-name
...
rm -df /etc/rc6.d/initscript-name
rm -df /etc/init.d/initscript-name

OKActivate resp. deactivate kernel-moduls
Get a listing of the kernel-modules by the terminal command lsmod.
In order to make the computer mouseclick-fast, all kernel modules without essential use have to be removed from /etc/rc.modules, while this file enpossibles to integrate modules by the command &quto;modprobe Modulname" added to the last line.
. Following our example-hardware from datasheed, the control-modules it87 und i2c-dev can be disabled and the service envoking them named lm_sensors deactivated.

OK/etc/X11/xorg.conf, mouseclick-fast for IGP INTEL-GMA-945, the PS2-mouse (optical or trackball), keyboard on USB-port:
/etc/X11/xorg.conf

Section "ServerFlags"
Option "DontZap" "True" # disable <Ctrl> <Alt> <BS>(server abort)
#DontZoom # disable <Ctrl> <Alt> <KP_+> /<KP_->(resolution switching)
AllowMouseOpenFail # allows the server to start up even if the mouse does not work
Option "DontVTSwitch" "True"
EndSection

Section "Module"
Load "dbe" # Double-Buffering Extension
Load "v4l" # Video for Linux
Load "type1"
Load "freetype"
Load "extmod"
Load "glx" # 3D layer
Load "dri" # direct rendering
EndSection

Section "Files"
ModulePath "/usr/lib64/xorg/modules"
ModulePath "/usr/lib64/xorg/modules/extensions"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
FontPath "built-ins"
EndSection

Section "Monitor"
Identifier "monitor1" HorizSync 47.7
VertRefresh 59.8
DisplaySize 361 203
# Monitor preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
ModeLine "1366x768" 85.5 1366 1436 1579 1792 768 771 774 798 -hsync +vsync

# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_60" 74.48 1280 1336 1472 1664 720 721 724 746 -HSync +Vsync

# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_50" 60.47 1280 1328 1456 1632 720 721 724 741 -HSync +Vsync
EndSection

Section "Device"
Identifier "device1" VendorName "Intel Corporation"
BoardName "Intel 810 and later"
Driver "intel"
BusID "PCI:0:2:0"
Screen 0
Option "DPMS"
Option "ZaphodHeads" "VGA1"
Option "AccelMethod" "sna"

#Option "AccelMethod" "exa"

#Option "AccelMethod" "uxa"

#Option "AccelMethod" "glamour"
Option "MigrationHeuristic" "greedy"
#Option "EXAPixmaps" "off"
Option "DRI" "3"
#Option "DRI" "2"
Option "TearFree" "off"
Option "ColorTiling" "on"
Option "ColorTiling2D" "on"
Option "EnablePageFlip" "on"
#Option "ShadowPrimary" "on"
### Available Driver options are:-
### Values: <i> : integer, <f> : float, <bool> : "True"/"False",
### <string> : "String", <freq> : "<f>Hz/kHz/MHz",
### <percent> : "<f> %"
### [arg]: arg optional
# left by default https://www.mankier.com/4/intel
#Option "Backlight" # [<str> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "VideoKey" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "ZaphodHeads" # <str>
#Option "Accel" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "Present" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "CustomeEDID" # [<bool> ]
#Option "VSync" # [<bool> ]
#Option "PageFlip" # [<bool> ]
#Option "HWRotation" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "Virtualheads" # <i>
#Option "Throttle" # [<bool> ]
#Option "NoAccel" # [<bool> ]
#Option "AccelMethod" # <str>
#Option "Backlight" # <str>
#Option "ColorKey" # <i>
#Option "VideoKey" # <i>
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "Throttle" # [<bool> ]
#Option "DelayedFlush" # [<bool> ]
#Option "TearFree" # [<bool> ]
#Option "PerCrtcPixmaps" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "BufferCache" # [<bool> ]
#Option "TripleBuffer" # [<bool> ]
#Option "SWcursor" # [<bool> ]
#Option "kmsdev" # <str>
#Option "ShadowFB" # [<bool> ]
#Option "Rotate" # <str> Option "fbdev" "on"
#Option "debug" # [<bool> ]
#Option "ShadowFB" # [<bool> ]
#Option "DefaultRefresh" # [<bool> ]
#Option "ModeSetClearScreen" # [<bool> ]
EndSection

Section "Screen"
Identifier "screen1"
Device "device1"
Monitor "monitor1"
DefaultColorDepth 24

Subsection "Display"
Depth 24
Modes "1366x768" "1360x765" "1280x720" "1024x768"
EndSubsection
EndSection

Section "ServerLayout"
Identifier "layout1"
Screen "screen1&# File generated by XFdrake (rev )

# **********************************************************************
# Refer to the xorg.conf man page for details about the format of
# this file.
# **********************************************************************

Section "ServerFlags" Option "DontZap" "true" # disable <Ctrl> <Alt> <BS>(server abort)
#DontZoom # disable <Ctrl> <Alt> <KP_+> /<KP_->(resolution switching)
Option "AllowMouseOpenFail" "true" # allows the server to start up even if the mouse does not work
Option "DontVTSwitch" "true"
Option "DPMS" "true"
EndSection

Section "Module"
Load "dbe" # Double-Buffering Extension
Load "v4l" # Video for Linux
Load "type1"
Load "freetype"
Load "extmod"
Load "glx" # 3D layer
Load "dri" # direct rendering
EndSection
Section "Extensions"
# compiz needs Composite, but it can cause bad (end even softreset-resistant)
# effects in some graphics cards, especially nv.
Option "Composite" "Enable"
EndSection

Section "Files"
ModulePath "/usr/lib64/xorg/modules"
ModulePath "/usr/lib64/xorg/modules/extensions"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
FontPath "built-ins"
EndSection

Section "Monitor"
Identifier "monitor1"
HorizSync 47.7
VertRefresh 59.8
DisplaySize 361 203
# Monitor preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
ModeLine "1366x768" 85.5 1366 1436 1579 1792 768 771 774 798 -hsync +vsync

# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_60" 74.48 1280 1336 1472 1664 720 721 724 746 -HSync +Vsync

# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_50" 60.47 1280 1328 1456 1632 720 721 724 741 -HSync +Vsync
EndSection

Section "Device"
Identifier "device1" VendorName "Intel Corporation"
BoardName "Intel 810 and later"
Driver "intel"
BusID "PCI:0:2:0"
Screen 0
Option "DPMS"
Option "ZaphodHeads" "VGA1"
Option "AccelMethod" "sna"

#Option "AccelMethod" "exa"

#Option "AccelMethod" "uxa"

#Option "AccelMethod" "glamour"
Option "MigrationHeuristic" "greedy"

#Option "EXAPixmaps" "off"
Option "DRI" "3"
#Option "DRI" "2"
Option "TearFree" "off"
Option "ColorTiling" "on"
Option "ColorTiling2D" "on"
Option "EnablePageFlip" "on"
#Option "ShadowPrimary" "on"
### Available Driver options are:-
### Values: <i> : integer, <f> : float, <bool> : "True"/"False",
### <string> : "String", <freq> : "<f>Hz/kHz/MHz",
### <percent> : "<f> %"
### [arg]: arg optional
# left by default https://www.mankier.com/4/intel
#Option "Backlight" # [<str> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "VideoKey" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "ZaphodHeads" # <str>
#Option "Accel" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "Present" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "CustomeEDID" # [<bool> ]
#Option "VSync" # [<bool> ]
#Option "PageFlip" # [<bool> ]
#Option "HWRotation" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "Virtualheads" # <i>
#Option "Throttle" # [<bool> ]
#Option "NoAccel" # [<bool> ]
#Option "AccelMethod" # <str>
#Option "Backlight" # <str>
#Option "ColorKey" # <i>
#Option "VideoKey" # <i>
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "Throttle" # [<bool> ]
#Option "DelayedFlush" # [<bool> ]
#Option "TearFree" # [<bool> ]
#Option "PerCrtcPixmaps" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "BufferCache" # [<bool> ]
#Option "TripleBuffer" # [<bool> ]
#Option "SWcursor" # [<bool> ]
#Option "kmsdev" # <str>
#Option "ShadowFB" # [<bool> ]
#Option "Rotate" # <str>
Option "fbdev" "on"
#Option "debug" # [<bool> ]
#Option "ShadowFB" # [<bool> ]
#Option "DefaultRefresh" # [<bool> ]
#Option "ModeSetClearScreen" # [<bool> ]
EndSection

Section "Screen"
Identifier "screen1"
Device "device1"
Monitor "monitor1"
DefaultColorDepth 24

Subsection "Display"
Depth 24
Modes "1366×768" "1360×765" "1280×720" "1024×768"
EndSubsection
EndSection

Section "ServerLayout"
Identifier "layout1" Screen "screen1"
InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mymouse1" "CorePointer"
Option "AIGLX" "true"
EndSection
# LOGITECH OPTICAL PS2-PORT-MOUSE
Section "InputDevice"
Identifier "Mymouse1"
Driver "mouse"

#Option "Device" "/dev/ttyS0"
Option "Protocol" "ImPS/2"

#Option "Device" "/dev/psaux"

#Option "Device" "/dev/ttyS0"

Option "Device" "/dev/input/mice"
Option "Emulate3Buttons" "true"
Option "CorePointer"

#Option "Protocol" "Auto"
#Option "Protocol" "ExplorerPS/2"

#Option "Protocol" "auto"

Option "ZAxisMapping" "4 5"
#Option "ZAxisMapping" "4 5 6 7"
EndSection

Section "InputDevice"
# generated from default
Identifier "Keyboard0"
Driver "kbd"
Option "CoreKeyboard"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "de"

EndSection

InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mymouse1" "CorePointer"
EndSection
Section "InputDevice"
Identifier "Mymouse1"
Driver "mouse"

<BR>
#Option "Device" "/dev/ttyS0"
Option "Protocol" "ImPS/2"
#Option "Device" "/dev/psaux"

#Option "Device" "/dev/ttyS0"
Option "Device" "/dev/input/mice"
Option "Emulate3Buttons" "true"
Option "CorePointer"
#Option "Protocol" "Auto"
#Option "Protocol" "ExplorerPS/2"

#Option "Protocol" "auto"
Option "ZAxisMapping" "4 5"
#Option "ZAxisMapping" "4 5 6 7"
EndSection

Section "InputDevice"
# generated from default
Identifier "Keyboard0"
Driver "kbd"
Option "CoreKeyboard"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "de"
EndSection


OKDo not plug to the Internet until ready
The system should not be immediately connected to the Internet during installation. This could sound stupid but network installation is a common method. Since the system will install and activate services immediately, if the system is connected to the Internet and the services are not properly configured you are opening it to attack.

OKRun the minimum number of services required
Services are programs such as ftp servers and web servers. Since they have to be listening for incoming connections that request the service, external computers can connect to yours. Services are sometimes vulnerable (i.e. can be compromised under a given attack) and hence present a security risk. Unwanted servces might be: telnet, ftp, smbd and nmbd (Samba), portmap (NFS), automount (NFS, network file system), rexec, named (DNS), lpd (printer), inetd, ...
https://www.tecmint.com/remove-unwanted-services-from-linux/

OKSet a LILO or GRUB password
What matters for updates, should almost be not the version of the rpm but the new release of one and the same version (backport-concept).

OKumask (see man umask): recommended values:
/etc/fstab: option umask 077 at least for the root- and home-Partition
~/.bashrc: umask 077 # for all user
~/.bashrc-profile: umask 077 # for all user
/etc/profile: umask 022 # to keep most of all accessible for a user

OKDisable root prompt on the initramfs
Note: This applies to the default kernels provided for releases after Debian 3.1
Linux 2.6 kernels provide a way to access a root shell while booting which will be presented during loading the initramfs on error. This is helpful to permit the administrator to enter a rescue shell with root permissions. This shell can be used to manually load modules when autodetection fails. This behavior is the default for initramfs-tools generated initramfs. The following message will appear:

"ALERT! /dev/sda1 does not exist. Dropping to a shell!

In order to remove this behavior you need to set the following boot argument:panic=0. Add this to the variable GRUB_CMDLINE_LINUX in /etc/default/grub and issue update-grub or to the append section of /etc/lilo.conf.

OKRemove root prompt on the kernel
Note: This does not apply to the kernels provided for Debian 3.1 as the timeout for the kernel delay has been changed to 0.
Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules wheX11-Servern autodetection fails. This behavior is the default for initrd´s linuxrc. The following message will appear:

Press ENTER to obtain a shell (waits 5 seconds)

In order to remove this behavior you need to change /etc/mkinitrd/mkinitrd.conf and set:

# DELAY The number of seconds the linuxrc script should wait to # allow the user to interrupt it before the system is brought up DELAY=0

Then regenerate your ramdisk image. You can do this for example with:

# cd /boot # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7

or (preferred):

# dpkg-reconfigure -plow kernel-image-2.4.x-yz

OKRestricting console login access
Some security policies might force administrators to log in to the system through the console with their user/password and then become superuser (with su or sudo). This policy is implemented in Debian by editing the /etc/pam.d/login and the /etc/securetty when using PAM (make a backup, before doing this!):

/etc/pam.d/login enables the pam_securetty.so module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user.
securetty by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need console, ttyX and vc/X (if using devfs devices), you might want to add also ttySX, if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for Wheezy includes many tty devices, serial ports, vc consoles as well as the X server and the console device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing /etc/inittab . For more information on terminal devices read the Text-Terminal-HOWTO.

When using PAM, other changes to the login process, which might include restrictions to users and groups at given times, can be configured in /etc/pam.d/login. An interesting feature, that can be disabled, is the possibility to login with null (blank) passwords. This feature can be limited by removing nullok from the line:

auth required pam_unix.so nullok

Our /etc/pam.d/login:

%PAM-1.0
auth required pam-securetty.so
auth required pam_tally2.so deny=3 even_deny_root unlock_time=2400
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so

OKsecuretty
is the file, where to add or delete terminals for the login of root. If a local access by console should be allowed only, then add console, ttyX and vc/X ( if devfs-interface is used, where X is an integer ).
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html

The primary entry types and their affects are as follows:
If /etc/securetty doesn´t exist, root is allowed to login from any tty
If /etc/securetty exist and is empty, root access will be restricted to single user mode or programs, that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp)
if you are using devfs (a deprecated filesystem for handling /dev), adding entries of the form vc/[0-9]* will permit root login from the given virtual console number
if you are using udev (for dynamic device management and replacement for devfs), adding entries of the form tty[0-9]* will permit root login from the given virtual console number
listing console in securetty, normally has no effect since /dev/console points to the current console and is normally only used as the tty filename in single user mode, which is unaffected by /etc/securetty
adding entries like pts/[0-9]* will allow programs that use pseudo-terminals (pty) and pam_securetty to login into root assuming the allocated pty is one of the ones listed; it´s normally a good idea not to include these entries because it´s a security risk; it would allow, for instance, someone to login into root via telenet, which sends passwords in plaintext (note that pts/[0-9]* is the format for udev which is used in RHEL 5.5; it will be different if using devfs or some other form of device management)
For single user mode, /etc/securetty is not consulted because the sulogin is used instead of login. See the sulogin man page for more info. Also you can change the login program used in /etc/inittab for each runlevel.
https://unix.stackexchange.com/questions/41840/effect-of-entries-in-etc-securetty

OKRestricting system reboots through the console
If your system has a keyboard attached to it anyone (yes anyone) with physical access to the system can reboot the system through it without login in just pressing the Ctrl+Alt+Delete keyboard combination, also known as the three finger salute. This might, or might not, adhere to your security policy.
This is aggravated in environments in which the operating system is running virtualised. In these environments, the possibility extends to users that have access to the virtual console (which might be accessed over the network). Also note that, in these environments, this keyboard combination is used constantly (to open a login shell in some GUI operating systems) and an administrator might virtually send it and force a system reboot.

There are two ways to restrict this:
configure it so that only allowed users can reboot the system, disable this feature completely.

If you want to restrict this, you must check the /etc/inittab so that the line that includes ctrlaltdel calls shutdown with the -a switch.
The default in Debian includes this switch:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

The -a switch, as the shutdown(8) manpage describes,makes it possible to allow some users to shutdown the system. For this the file /etc/shutdown.allow must be created and the administrator has to include there the name of users which can boot the system. When the three finger salute combination is pressed in a console the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system.
If you want to disable the Ctrl+Alt+Del combination you just need to comment the line with the ctrlaltdel definition in the /etc/inittab.
Remember to run init q after making any changes to the /etc/inittab file for the changes to take effect.

OKRestricting the use of the Magic SysRq key
The Magic SysRq key is a key combination that allows users connected to the system console of a Linux kernel to perform some low-level commands. These low-level commands are sent by pressing simultaneously Alt+SysRq and a command key. The SysRq key in many keyboards is labeled as the Print Screen key.
Since the Etch release, the Magic SysRq key feature is enabled in the Linux kernel to allow console users certain privileges. You can confirm this by checking if the /proc/sys/kernel/sysrq exists and reviewing its value:

DOLLARSIGN cat /proc/sys/kernel/sysrq
438

The default value shown above allows all of the SysRq functions except for the possibility of sending signals to processes. For example, it allow users connected to the console to remount all systems read-only, reboot the system or cause a kernel panic. In all the features are enabled, or in older kernels (earlier than 2.6.12) the value will be just 1.
You should disable this functionality ifaccess to the console is not restricted to authorised users: the console is connected to a modem line, there is easy physical access to the system or it is running in a virtualised environment and other users access the console. To do this edit the /etc/sysctl.conf and add the following lines:

# Disables the magic SysRq key
kernel.sysrq = 0

OKUser authentication: PAM
PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read /usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz for more information on how PAM services should work in Debian).
Each application with PAM support provides a configuration file in /etc/pam.d/ which can be used to modify its behavior:

what backend is used for authentication.

what backend is used for sessions.

how do password checks behave.

The following description is far from complete, for more information you might want to read the Linux-PAM Guides as a reference. This documentation is available in the system if you install the libpam-doc at /usr/share/doc/libpam-doc/html/.
PAM offers you the possibility to go through several authentication steps at once, without the user´s knowledge. You could authenticate against a Berkeley database and against the normal passwd file, and the user only logs in if the authentication succeeds in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to requisite, which returns a login failure if one module fails.
More about PAM: https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html, chapter 4.11

OKUser login actions: edit /etc/login.defs (make a backup, before doing this!)
The next step is to edit the basic configuration and action upon user login. Note that this file is not part of the PAM configuration, it´s a configuration file honored by login and su programs, so it doesn´t make sense tuning it for cases where neither of the two programs are at least indirectly called (the getty program which sits on the consoles and offers the initial login prompt does invoke login).

FAILLOG_ENAB yes

If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack.

LOG_UNKFAIL_ENAB no

If you set this variable to ´yes´ it will record unknown usernames if the login failed. It is best if you use ´no´ (the default) since, otherwise, user passwords might be inadvertenly logged here (if a user mistypes and they enter their password as the username). If you set it to ´yes´, make sure the logs have the proper permissions (640 for example, with an appropriate group setting such as adm).

SYSLOG_SU_ENAB yes

This one enables logging of su attempts to syslog. Quite important on serious machines but note that this can create privacy issues as well.

SYSLOG_SG_ENAB yes

The same as SYSLOG_SU_ENAB but applies to the sg program.

ENCRYPT_METHOD SHA512

As stated above, encrypted passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. This definition has to be consistent with the value defined in /etc/pam.d/common-password.

OKUser login actions: edit /etc/pam.d/login (make a backup, before doing this!)
You can adjust the login configuration file to implement an stricter policy. For example, you can change the default configuration and increase the delay time between login prompts. The default configuration sets a 3 seconds delay:

auth optional pam_faildelay.so delay=3000000

Increasing the delay value to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user!) has to wait longer seconds to get a new login prompt, which is quite time consuming when you test passwords. For example, if you set delay=10000000, users will have to wait 10 seconds if they type a wrong password.

In this file you can also set the system to present a message to users before a user logs in. The default is disabled, as shown below:

# auth required pam_issue.so issue=/etc/issue

If required by your security policy, this file can be used to show a standard message indicating that access to the system is restricted and user acess is logged. This kind of disclaimer might be required in some environments and jurisdictions. To enable it, just include the relevant information in the /etc/issue [24] file and uncomment the line enabling the pam_issue.so module in /etc/pam.d/login. In this file you can also enable additional features which might be relevant to apply local security policies such as:

setting rules for which users can access at which times, by enabling the pam_time.so module and configuring /etc/security/time.conf accordingly (disabled by default),

setup login sessions to use user limits as defined in /etc/security/limits.conf (enabled by default),

present the user with the information of previous login information (enabled by default),

print a message (/etc/motd and /run/motd.dynamic) to users after login in (enabled by default),

OKRestricting ftp: editing /etc/ftpusers (make a backup, before doing this!)
The /etc/ftpusers file contains a list of users who are not allowed to log into the host using ftp. Only use this file if you really want to allow ftp (which is not recommended in general, because it uses clear-text passwords). If your daemon supports PAM, you can also use that to allow and deny users for certain services.
A convenient way to add all system accounts to the /etc/ftpusers is to run

DOLLARSIGN awk -F : ´{if (DOLLARSIGN3<1000) print DOLLARSIGN1}´ /etc/passwd > /etc/ftpusers

OKDisallow remote administrative access
You should also modify /etc/security/access.conf to disallow remote logins to administrative accounts. This way users need to invoke su (or sudo) to use any administrative powers and the appropriate audit trace will always be generated.
You need to add the following line to /etc/security/access.conf, the default Debian configuration file has a sample line commented out (making your system mouseclick-fast; do not forget to make a backup of this file, before doing this!).
As already described commented in in /etc/security/access.conf, for root and system user and user:
:

# User "root" should be denied to get access from all other sources.
- : root : ALL
- : user : ALL
- : surfuser : 127.0.0.0/24
- : toruser : 127.0.0.0/24
- : uuidd : ALL
- . messagebus: ALL
- : wheel:ALL EXCEPT LOCAL
- : ftp : ALL
- : mail : ALL
- : pop3ad : ALL
- : bin : ALL
- : daemon : ALL
- : adm : ALL
- : sync : ALL
- : halt : ALL
- : news : ALL
# All other users should be denied to get access from all sources.
: ALL : ALL


Look out for other important options in this file too. Remember to enable the pam_access module for every service (or default configuration) in /etc/pam.d/ if you want your changes to /etc/security/access.conf honored.

OKConfiguring syncookies
This option is a double-edged sword. On the one hand it protects your system against syn packet flooding; on the other hand it violates defined standards (RFCs).

net/ipv4/tcp_syncookies = 1

If you want to change this option each time the kernel is working you need to change it in /etc/network/options by setting syncookies=yes. This will take effect when ever /etc/init.d/networking is run (which is typically done at boot time) while the following will have a one-time effect until the reboot:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies # e.g. within /etc/rc.local

This option will only be available if the kernel is compiled with the CONFIG_SYNCOOKIES. All Debian kernels are compiled with this option builtin but you can verify it running:

DOLLARSIGN sysctl -A |grep syncookies
net/ipv4/tcp_syncookies = 1

For more information on TCP syncookies read http://cr.yp.to/syncookies.html.

Disabling weak-end hosts issues
Systems with more than one interface on different networks can have services configured so that they will bind only to a given IP address. This usually prevents access to services when requested through any other address. However, this does not mean (although it is a common misconception) that the service is bound to a given hardware address (interface card).
This is not an ARP issue and it´s not an RFC violation (it´s called weak end host in RFC1122, section 3.3.4.2). Remember, IP addresses have nothing to do with physical interfaces.
On 2.2 (and previous) kernels this can be fixed with:

# echo 1 > /proc/sys/net/ipv4/conf/all/hidden
# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden

..... On later kernels this can be fixed either with:

iptables rules.

properly configured routing.

kernel patching.

Along this text there will be many occasions in which it is shown how to configure some services (sshd server, apache, printer service...) in order to have them listening on any given address, the reader should take into account that, without the fixes given here, the fix would not prevent accesses from within the same (local) network.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

OKUsing tcpwrappers
TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they´re still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at hosts_access(5).
Many services installed in Debian are either:

launched through the tcpwrapper service (tcpd)

compiled with libwrapper support built-in.

On the one hand, for services configured in /etc/inetd.conf (this includes telnet, ftp, netbios, swat and finger) you will see that the configuration file executes /usr/sbin/tcpd first. On the other hand, even if a service is not launched by the inetd superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include ssh, portmap, in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME activator daemon), nessus and many others.

To see which packages use tcpwrappers [31] try:

DOLLARSIGN apt-cache rdepends libwrap0

Take this into account when running tcpdchk (a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the hosts.deny and hosts.allow files, tcpdchk will warn you that it is not able to find the mentioned services since it only looks for them in /etc/inetd.conf (the manpage is not totally accurate here).

Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a SPAWN command in /etc/hosts.deny that sends mail to root whenever a denied service triggers wrappers:

ALL: ALL: SPAWN (
echo -e "n
TCP Wrappers: Connection refusedn
By: DOLLARSIGN(uname -n)n
Process: %d (pid %p)n
User: %un
Host: %cn
Date: DOLLARSIGN(date)n
" | /usr/bin/mail -s "Connection to %d blocked" root) &

Beware: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

OKProtecting against ARP attacks
When you don´t trust the other boxes on your LAN (which should always be the case, because it´s the safest attitude) you should protect yourself from the various existing ARP attacks.
As you know the ARP protocol is used to link IP addresses to MAC addresses (see RFC826 for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then if the IP isn´t present in the cache by broadcasting an ARP query) to find the target´s hardware address. All the ARP attacks aim to fool your box into thinking that box B´s IP address is associated to the intruder´s box´s MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder´s box...
Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or arpoison.
However, there is always a solution:
Use a static ARP cache. You can set up "static" entries in your ARP cache with:

arp -s host_name hdwr_addr

By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don´t expire and can´t be modified) and spoofed ARP replies will be ignored. Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, prelude...).
Implement IP traffic filtering validating the MAC address.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html

OKSecuring FTP
If you really have to use FTP (without wrapping it with sslwrap or inside a SSL or SSH tunnel), you should chroot ftp into the ftp users´ home directory, so that the user is unable to see anything else than their own directory. Otherwise they could traverse your root file system just like if they had a shell in it. You can add the following line in your proftpd.conf in your global section to enable this chroot feature:

DefaultRoot ~

Restart ProFTPd by /etc/init.d/proftpd restart and check whether you can escape from your homedir now.
To prevent ProFTPd DoS attacks using ../../.., add the following line in /etc/proftpd.conf: DenyFilter *.*/
Always remember that FTP sends login and authentication passwords in clear text (this is not an issue if you are providing an anonymous public service) and there are better alternatives in Debian for this. For example, sftp (provided by ssh). There are also free implementations of SSH for other operating systems: putty and cygwin for example.
However, if you still maintain the FTP server while making users access through SSH you might encounter a typical problem. Users accessing anonymous FTP servers inside SSH-secured systems might try to log in the FTP server. While the access will be refused, the password will nevertheless be sent through the net in clear form. To avoid that, ProFTPd developer TJ Saunders has created a patch that prevents users feeding the anonymous FTP server with valid SSH accounts. More information and patch available at: ProFTPD Patches. This patch has been reported to Debian too, see Bug #145669.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html

OKBoot-break kernel or haldaemon (hal, hald)?
The kernel (in our case 4.20.13) or haldaemon resp. hal from Mandriva-derivates as much as CentOS 6 is an enormous system-boot- and -shutdown-break "making more or less a pause" of around 30 up to 45 seconds during the system boot resp. -shutdown.
Configuration of hal:

/etc/hal.conf
<!-- This configuration file controls the Hardware Abstraction Layer
daemon - it is meant that OS vendors customize this file to reflect
their desired policy.
-->

<haldconfig>

<!-- If true, then the device list is saved to disk such that
properties are kept between invocations of hald.
-->
<persistent_device_list>false</persistent_device_list>

<!-- Default value for storage.media_check_enabled for devices of
capability storage - this can be overridden by .fdi files.

Setting this to false results a whitelist policy, e.g. media
check is only enabled for storage devices with a .fdi file
saying so.

Conversely, setting it to true results in a blacklist policy
where media check is enabled by default but may be overridden
by a .fdi for devices causing trouble.
-->
<storage_media_check_enabled>true</storage_media_check_enabled>

<!-- Default value for storage.automount_enabled_hint for devices of
capability storage - this can be overridden by .fdi files.

Setting this to false results a whitelist policy, e.g. policy
agents should only automount storage devices with a .fdi file
saying so.

Conversely, setting it to true results in a blacklist policy
where policy agents should always automount unless this is
explicitly overridden by .fdi for devices causing trouble.
-->
<storage_automount_enabled_hint>true</storage_automount_enabled_hint>
https://www.thegeekdiary.com/linux-os-service-haldaemon/

Deprecated
As of 2011, Linux distributions such as Ubuntu,[5] Debian,[6] and Fedora and on FreeBSD,[7] and projects such as KDE,[8] GNOME and X.org are in the process of deprecating HAL as it has "become a large monolithic unmaintainable mess".[5] The process is largely complete, but some use of HAL remains – Debian squeeze (Feb 2011) and Ubuntu version 10.04 remove HAL from the basic system and boot process.[9] In Linux, it is in the process of being merged into udev (main udev, libudev, and udev-extras) and existing udev and kernel functionality. The replacement for non-Linux systems such as FreeBSD is devd.
Initially a new daemon DeviceKit was planned to replace certain aspects of HAL, but in March 2009, DeviceKit was deprecated in favor of adding the same code to udev as a package: udev-extras, and some functions have now moved to udev proper.
https://en.wikipedia.org/wiki/HAL_(software)

Disabling useless daemons in RHEL/Centos/Oracle 6 servers
HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations and should be disabled unless necessary: # chkconfig haldaemon off.
The hald – Hardware Access Layer Daemon – runs several processes in order to keep track of what hardware is installed on your system. This includes polling USB Drives and ´hot-swap´ devices to check for changes along with a host of other tasks.
You might see it running on your system as follows:
2474 ? S 0:00 \_ hald-runner
2481 ? S 0:00 \_ hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
2487 ? S 0:00 \_ hald-addon-keyboard: listening on /dev/input/event0
2495 ? S 41:47 \_ hald-addon-storage: polling /dev/hdc

If your system is static and the devices do not change, you can actually disable this service using a policy entry.
Create a file in your policy directory, for example /etc/hal/fdi/policy/99-custom.fdi. Add the text:

hald-addon-storage

Save and reload the hald using /etc/init.d/haldaemon restart.
And you will find that service no longer is polling your hardware.
Of course to turn it back on, remove that policy entry and restart the haldaemon again, it will be back in service.
Solution Credit: Linuxforums User cn77
www.softpanorama.org/Commercial_linuxes/RHEL/Daemons/removing_daemons_in_rhel6.shtml

udev-Regel für PS/2-mouse (optical mouse from Logitech®)


... results from &quto;udevadm info -a -p /devices/platform/i8042/serio1/input/input12"

/etc/udev/rules.d/10-ps2mouse.rules
KERNEL=="input12" SUBSYSTEM=="input" DRIVER=="" ATTR{uniq}=="" ATTR{properties}=="1" ATTR{phys}=="isa0060/serio1/input0" ATTR{name}=="ImExPS/2 Logitech Wheel Mouse" ATTR{modalias}=="input:b0011v0002p0006e0063-e0,1,2,k110,111,112,113,114,r0,1,6,8,amlsfw"
KERNELS=="serio1" SUBSYSTEMS=="serio" DRIVERS=="psmouse" ATTRS{resetafter}=="5" ATTRS{resolution}=="200" ATTRS{description}=="i8042 AUX port" ATTRS{firmware_id}=="PNP: PNP0f03 PNP0f13" ATTRS{protocol}=="ImExPS/2" ATTRS{rate}=="100" ATTRS{bind_mode}=="auto" ATTRS{resync_time}=="0" ATTRS{modalias}=="serio:ty01pr00id00ex00"

OKSecure up RPC-services
Deactivate RPC abschalten (or deinstall it), if not needed.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html

OKhaveged
The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.

OKtcp_wrapper for server

With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.
It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise yourself lucky if you don´t know what that means.
The package provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications.
Optional features are: access control to restrict what systems can connect to what network daemons; client user name lookups with the RFC 931 etc. protocol; additional protection against hosts that pretend to have someone elses host name; additional protection against hosts that pretend to have someone elses host address.

OKSecuring Squid
Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid´s default configuration file denies all users requests. However the Debian package allows access from ´localhost´, you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf, see the Squid User´s Guide for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf as needed. The recommended minimum configuration (provided with the package) is shown below:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
X11-Server acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
(...)
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
#Default:
# icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all

You should also configure Squid based on your system resources, including cache memory (option cache_mem), location of the cached files and the amount of space they will take up on disk (option cache_dir).
Notice that, if not properly configured, someone may relay a mail message through Squid, since the HTTP and SMTP protocols are designed similarly. Squid´s default configuration file denies access to port 25. If you wish to allow connections to port 25 just add it to Safe_ports lists. However, this is NOT recommended.
Setting and configuring the proxy/cache server properly is only part of keeping your site secure. Another necessary task is to analyze Squid´s logs to assure that all things are working as they should be working. There are some packages in Debian GNU/Linux that can help an administrator to do this. The following packages are available in Debian 3.0 and Debian 3.1 (sarge):

calamaris - Log analyzer for Squid or Oops proxy log files.
modlogan - A modular logfile analyzer.
sarg - Squid Analysis Report Generator.
squidtaild - Squid log monitoring program.

When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don´t need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the Squid User´s Guide - Accelerator Mode


OKSecuring printing access (the lpd and lprng issue)
Imagine, you arrive at work, and the printer is spitting out endless amounts of paper because someone is DoSing your line printer daemon. Nasty, isn´t it?
In any UNIX printing architecture, there has to be a way to get the client´s data to the host´s print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why these programs are usually SUID or SGID).
In order to avoid any issues you should keep your printer servers especially secure. This means you need to configure your printer service so it will only allow connections from a set of trusted servers. In order to do this, add the servers you want to allow printing to your /etc/hosts.lpd.
However, even if you do this, the lpr daemon accepts incoming connections on port 515 of any interface. You should consider firewalling connections from networks/hosts which are not allowed printing (the lpr daemon cannot be limited to listen only on a given IP address).
Lprng should be preferred over lpr since it can be configured to do IP access control. And you can specify which interface to bind to (although somewhat weirdly).
If you are using a printer in your system, but only locally, you will not want to share this service over a network. You can consider using other printing systems, like the one provided by cups or PDQ which is based on user permissions of the /dev/lp0 device.
In cups, the print data is transferred to the server via the HTTP protocol. This means the client program doesn´t need any special privileges, but does require that the server is listening on a port somewhere.
However, if you want to use cups, but only locally, you can configure it to bind to the loopback interface by changing /etc/cups/cupsd.conf:

Listen 127.0.0.1:631 # This might not work! To go sure: Port 631 and Listen /var/run/cups/cups.sock

There are many other security options like allowing or denying networks and hosts in this config file. However, if you do not need them you might be better off just limiting the listening port. Cups also serves documentation through the HTTP port, if you do not want to disclose potential useful information to outside attackers (and the port is open) add also:

>Location /<
Order Deny,Allow
Deny From All
Allow From 127.0.0.1 # or try "Allow @LOCAL"
</Location>

This configuration file can be modified to add some more features including SSL/TLS certificates and crypto. The manuals are available at http://localhost:631/ or at cups.org.
FIXME: Add more content (the article on Amateur Fortress Building provides some very interesting views).
FIXME: Check if PDG is available in Debian, and if so, suggest this as the preferred printing system.
FIXME: Check if Farmer/Wietse has a replacement for printer daemon and if it´s available in Debian.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html

OKSecuring SSH, mail-service, BIND, Apache, Finger and deactivate NIS
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html

OKAdministrate the services: systemd since year 2013 or chkconfig
/etc/rc.local for each boot still is not registrated, so it still might not be executed, maybe the same for ip6tables and iptables. For this purpose create rc.local in /etc/init.d (by overwriting it with /etc/init.d/linfw3 for example) to change the include of previous daemon linfw3, now rc.local in /etc/init.d up to the following: start() "sh /etc/init.d/rc.local", unneeded variables removed and without stop() and restart(). Set a new chkconfig-number in the commented in line at the beginning.
To be careful, registrate the service: "chkconfig --add rc.local".
Generally, using this command, all services get visible in MCC -> service administration.
Set the hooks to activate the needed ones only or set the runlevel 0 up to 6 for each new service manually, almost like 0-OFF 1-OFF 2-OFF 3-ON 4-ON 5-ON 6-OFF.
Notice, that all runlevel-init-scripts out of /etc/init.d/ and /etc/rcX.d can also get started (start), restarted (restart) and stopped (stop) for MDV and el6 and many other distributions manually by a command like:
"sh /etc/init.d/linfw3 start".

Start of the database server mysqld (el6.remi): like rc.local above, but the bind-address has to be commented in /etc/my.cnf.
Reverse-Proxy daemon (init-script) nginx (el6): like rc.local above too, but before you do this, copy "cp -axf /usr/lib/perl5/strict.pm /usr/local/share/perl5&quto; and "cp -axf /usr/lib/perl5/warnings* /usr/local/share/perl5/".
Apache webserver daemon httpd (el6): like rc.local above, but modules have to be configured well, eventually remove them.
Print server daemon: cups (pclos)
LAN-server resp. - clients: samba-... (el6); samba is not required for single pc-workstations connected with a DSL-router
...

But before these init-scripts get started, configure the server in their own configuration-files in /etc ! ...

Detailed includes of /etc/rc.local and one more script in /usr/sbin for ACL-access-rights are listed further below. Both will be started as runlevel-init-scripts (daemons) each boot out of /etc/init.d .

OKImportant access-rights each system-boot, meaning of UNIX/Linux-groups
Files and directories with unrestricted access-rights can be found out, even without root-rights:
The command

find / -path /proc -prune -o -type f -perm 666

finds all files within the complete file-system except within "/proc", that can be read and overwritten (write). The next one,

find / -path /proc -prune -o -type f -perm 777

lists all such files, that are executable too.

find / -path /proc -prune -o -type d -perm 777

finds directores, that are ready for read and write.

Instead of giving directorese and files the full access rights (chmod 777), it is the better to use groups for the common used files by the command

chgrp [-R] [group] [file/Directory]
https://www.pcwelt.de/ratgeber/Sechs-wichtige-Sicherheitstipps-Linux-Server-9940087.html#6

777 ->, 770, 775 -> 770, 755 ->, 750, 641 ->, 640 usw.

For this, at least following user should belong to the group of root: standard group root, uuid, lp, lpadmin, tty, user and toruser.

Be a little bit careful with this! We almost resign from this assignment of users to the group of root in main in future, but whoever wants can try to restrict even more the access rights this way...

OKchgrp changes the group of directories and files. For the full access by different user and groups only the access-right 770 for directories and 660 for files have to be set only..

OKImportant access-rights set each system boot
/etc/rc.local
chown root:root / # Notice: It would be much better to enter all chown and chmod here in /etc/permissions.secure and in the adequate form there only!
chown root:root /* # -> /etc/permissions.secure
chmod 700 -R /etc/init.d
chmod 700 -R /etc/rc0.d
chmod 700 -R /etc/rc1.d
chmod 700 -R /etc/rc2.d
chmod 700 -R /etc/rc3.d
chmod 700 -R /etc/rc4.d
chmod 700 -R /etc/rc5.d
chmod 700 -R /etc/rc6.d
chmod 400 /etc/shadow*
chmod 400 path_to_encrypted_key_file_for_LUKS_encrypted_partitions
...


In order to gain a first, short overview for more access-rights within /etc/rc.local set each boot ( for a second we are going to list them more in detail soon ). They do not make the system working only secure, they also do let work it mouseclick-fast :

chmod 111 /# Notice: It would be much better to enter all chown and chmod here in /etc/permissions.secure and in the adequate form there only!
chmod 755 /usr # 755 needed for caffeine only, else 751
chmod 751 /bin
chmod 751 /var # resp. 750, if user belongs to the group of root
chmod 751 /sbin
chmod 751 /lib64
chmod 751 /usr/lib64
# chmod 751 -R /usr/lib64/python2.6
# chmod 751 -R /usr/lib/python2.6 # shall have got the same include as /usr/lib64/python2.6
chmod 751 /usr/lib64/kde4
chmod 751 /etc # resp. chmod 750, if the groups listed above belong to root, same for /opt and /var, but we won&#t follow this in future.
chmod 755 /etc/* # resp.chmod 750, if the groups listed above belong to root, same for /opt and /var, but we won&#t follow this in future.
chmod 755 /etc/bashrc
chmod 755 -R /etc/font*
chmod 755 /etc/group
chmod 755 /etc/nsswitch.conf
chmod 755 /etc/ld.so.preload
chmod 755 -R /etc/pango*
chmod 755 /etc/sysconfig/network
chmod 755 /etc/sysconfig/network-scripts
chmod 700 -R /etc/init.d
chmod 700 -R /etc/rc0.d
chmod 700 -R /etc/rc1.d
chmod 700 -R /etc/rc2.d
chmod 700 -R /etc/rc3.d
chmod 700 -R /etc/rc4.d
chmod 700 -R /etc/rc5.d
chmod 700 -R /etc/rc6.d
chown root:shadow /etc/shadow*
chmod 400 /etc/shadow*
chown root:root /etc/passwd*
chmod 644 /etc/passwd*
chown root:root /etc/fstab*
chmod 400 /etc/fstab*
chown root:root /etc/crypttab*
chmod 700 /etc/crypttab*
chown root:root /etc/mtab*
chmod 700 /etc/mtab*
chown root:root /etc/hosts
chmod 644 /etc/hosts
chown root:root /etc/mtab* chmod 644 /etc/mtab* # chmod 700: kdf arbeitet nicht
chown root:root /etc/login.defs
chmod 755 /etc/login.defs
chmod 755 -R /etc/firejail
chmod 755 -R /etc/xdg*
chmod 755 -R /etc/resolv.conf
chown root:root -R /etc/modprobe*
chmod 700 -R /etc/modprobe*
chmod 751 /opt # resp. 750, if user belongs to the group of root
chmod 751 /lib
chmod 700 /root
chmod 700 -R /etc/init.d
chmod 751 /initrd
chmod 751 /misc
chmod 700 -R /boot-save
chown root:root /usr/bin
chown root:root /usr/sbin
chown root:root /usr/lib64
chown root:root /usr/lib
chown root:root /usr/libexec
chown root:root /usr/share
chown root:root /root
chmod 700 /usr/bin/xterm # terminals (except your favorite one)
chmod 700 /usr/bin/aterm
chmod 700 /usr/bin/byobu*
chmod 700 /usr/bin/terminator*
chmod 700 /usr/bin/quadkonsole*
chmod 700 /usr/bin/lxterminal*
chmod 700 /usr/bin/yakuake*
chmod 700 /usr/bin/aterm
chmod 700 /usr/bin/multi-aterm
chmod 700 /usr/bin/tcsh*
chmod 700 /usr/bin/rxvt*
chown root:firejail /usr/bin/firejail
chmod 04750 /usr/bin/firejail # For this, surfuser must be a member of the primary group named firejail of firejail !
chmod 644 /etc/passwd
chmod 644 /etc/security/msec/*.secure
chmod 711 /home
chmod 700 /home/user
chmod 700 /home/surfuser
chmod 700 /home/uuidd
chmod 700 /home/toruser
chmod 700 -R /home/user/Dokumente

#
OK# from permissions (OpenSuSE, chkstat), level: secure with some changes
/ root:root 111
/root/ root:root 700
/tmp/ root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev/ root:root 755
/bin/ root:root 751
/sbin/ root:root 751
/lib/ root:root 751
/etc/ root:root 751
/home/ root:root 711
/boot/ root:root 755
/opt/ root:root 751
/usr/ root:root 755
/usr/local root:root 755
#
# /var:
#

/var/tmp/ root:root 1777
/var/log/ root:root 755
/var/spool/ root:root 755
/var/spool/mqueue/ root:root 700
/var/spool/news/ news:news 775
/var/spool/voice/ root:root 755
/var/spool/mail/ root:root 1777
/var/adm/ root:root 755
/var/adm/backup/ root:root 700
/var/cache/ root:root 755
/var/cache/man/ man:root 755
/var/run/nscd/socket root:root 666
/run/nscd/socket root:root 666
/var/run/sudo/ root:root 700
/run/sudo/ root:root 700

#
# login tracking
#
/var/log/lastlog root:root 644
/var/log/faillog root:root 600
/var/log/wtmp root:utmp 664
/var/log/btmp root:utmp 600
/var/run/utmp root:utmp 664
/run/utmp root:utmp 664

#
# some device files
#

/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 666
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640

#
# /etc
#
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 400
/etc/init.d/ root:root 755
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ld.so.conf root:root 644
/etc/ld.so.cache root:root 644

/etc/opiekeys root:root 600

/etc/ppp/ root:root 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600

# sysconfig files:
/etc/sysconfig/network/providers/ root:root 700

# utempter
/usr/lib/utempter/utempter root:utmp 2755

# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ssh_host_key.pub root:root 644
/etc/ssh/ssh_host_dsa_key root:root 600
/etc/ssh/ssh_host_dsa_key.pub root:root 644 /etc/ssh/ssh_host_rsa_key root:root 600
/etc/ssh/ssh_host_rsa_key.pub root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640

#
# legacy
#
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755

# games:games 775 safe as long as we don´t change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/ root:root 0755

# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 4750

#
# udev static devices (#438039)
#
/lib/udev/devices/net/tun root:root 0666
/lib/udev/devices/null root:root 0666
/lib/udev/devices/ptmx root:tty 0666
/lib/udev/devices/tty root:tty 0666
/lib/udev/devices/zero root:root 0666

#
# named chroot (#438045)
#
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666

# opiesu is not allowed setuid root as code quality is bad (bnc#882035)
/usr/bin/opiesu root:root 0755

# we no longer make rpm build dirs 1777
/usr/src/packages/SOURCES/ root:root 0755
/usr/src/packages/BUILD/ root:root 0755
/usr/src/packages/BUILDROOT/ root:root 0755
/usr/src/packages/RPMS/ root:root 0755
/usr/src/packages/RPMS/alphaev56/ root:root 0755
/usr/src/packages/RPMS/alphaev67/ root:root 0755
/usr/src/packages/RPMS/alphaev6/ root:root 0755
/usr/src/packages/RPMS/alpha/ root:root 0755
/usr/src/packages/RPMS/amd64/ root:root 0755
/usr/src/packages/RPMS/arm4l/ root:root 0755
/usr/src/packages/RPMS/armv4l/ root:root 0755
/usr/src/packages/RPMS/armv5tejl/ root:root 0755
/usr/src/packages/RPMS/armv5tejvl/ root:root 0755
/usr/src/packages/RPMS/armv5tel/ root:root 0755
/usr/src/packages/RPMS/armv5tevl/ root:root 0755
/usr/src/packages/RPMS/armv6l/ root:root 0755
/usr/src/packages/RPMS/armv6vl/ root:root 0755
/usr/src/packages/RPMS/armv7l/ root:root 0755
/usr/src/packages/RPMS/athlon/ root:root 0755
/usr/src/packages/RPMS/geode/ root:root 0755
/usr/src/packages/RPMS/hppa2.0/ root:root 0755
/usr/src/packages/RPMS/hppa/ root:root 0755
/usr/src/packages/RPMS/i386/ root:root 0755
/usr/src/packages/RPMS/i486/ root:root 0755
/usr/src/packages/RPMS/i586/ root:root 0755
/usr/src/packages/RPMS/i686/ root:root 0755
/usr/src/packages/RPMS/ia32e/ root:root 0755
/usr/src/packages/RPMS/ia64/ root:root 0755
/usr/src/packages/RPMS/mips/ root:root 0755
/usr/src/packages/RPMS/noarch/ root:root 0755
/usr/src/packages/RPMS/pentium3/ root:root 0755
/usr/src/packages/RPMS/pentium4/ root:root 0755
/usr/src/packages/RPMS/powerpc64/ root:root 0755
/usr/src/packages/RPMS/powerpc/ root:root 0755
/usr/src/packages/RPMS/ppc64/ root:root 0755
/usr/src/packages/RPMS/ppc/ root:root 0755
/usr/src/packages/RPMS/s390/ root:root 0755
/usr/src/packages/RPMS/s390x/ root:root 0755
/usr/src/packages/RPMS/sparc64/ root:root 0755
/usr/src/packages/RPMS/sparc/ root:root 0755
/usr/src/packages/RPMS/sparcv9/ root:root 0755
/usr/src/packages/RPMS/x86_64/ root:root 0755
/usr/src/packages/SPECS/ root:root 0755
/usr/src/packages/SRPMS/ root:root 0755
#
# /etc
#
/etc/crontab root:root 600
/etc/exports root:root 644
/etc/fstab root:root 400
/etc/ftpusers root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 600
/etc/ssh/sshd_config root:root 600
# we might want to tighten that up in the future in this profile (remove the
# ability for others to read/enter)
/etc/cron.d root:root 755
/etc/cron.daily root:root 755
/etc/cron.hourly root:root 755
/etc/cron.monthly root:root 755
/etc/cron.weekly root:root 755

#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 4755
# disable at and cron for users that do not belnong to the group "trusted"
/usr/bin/at root:trusted 4750
/usr/bin/crontab root:trusted 4750
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 2755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# /usr/bin/opiepasswd root:root 4755
#
/sbin/mount.nfs root:root 0755
#
#
/usr/bin/fusermount root:trusted 4750
# needs setuid root when using shadow via NIS:
#
/sbin/unix_chkpwd root:shadow 4755
/sbin/unix2_chkpwd root:shadow 4755

# squid changes
/var/cache/squid/ squid:root 0750
/var/log/squid/ squid:root 0750
/usr/sbin/pinger squid:root 0750
+capabilities cap_net_raw=ep
/usr/sbin/basic_pam_auth root:shadow 2750

# still to be converted to utempter /usr/lib/gnome-pty-helper root:utmp 2755

#
# mixed section: most of it is disabled in this permissions.secure:
#
# video
/usr/bin/v4l-conf root:video 4750

# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd: sgid + executeable only for group www. Useless...
/usr/bin/makeweb root:www 2750
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4750
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755

# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755

#
# networking (need root for the privileged socket)
#
/usr/bin/ping root:root 0755
+capabilities cap_net_raw=ep
/usr/bin/ping6 root:root 0755
+capabilities cap_net_raw=ep
# mtr is linked against ncurses. no suid bit, for root only:
/usr/sbin/mtr root:dialout 0750
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755

# exim
/usr/sbin/exim root:root 4755

#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 0755

#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755

#
# terminal emulators
# This and future SUSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.

# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 0755

#
# kde
# (all of them are disabled in permissions.secure except for
# the helper programs)
#
# needs setuid root when using shadow via NIS:
# #66218
/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib/kde4/libexec/kdesud root:nogroup 2755
/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
/usr/lib/libexec/kf5/kdesud root:nogroup 2755
/usr/lib64/libexec/kf5/kdesud root:nogroup 2755

# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 4755
/usr/lib64/kde4/libexec/start_kdeinit root:root 4755

#
# amanda
#
/usr/sbin/amcheck root:amanda 0750
/usr/lib/amanda/calcsize root:amanda 0750
/usr/lib/amanda/rundump root:amanda 0750
/usr/lib/amanda/planner root:amanda 0750
/usr/lib/amanda/runtar root:amanda 0750
/usr/lib/amanda/dumper root:amanda 0750
/usr/lib/amanda/killpgrp root:amanda 0750

#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555


#
# news (inn)
#
# the inn start script changes it´s uid to news:news. Later innbind
# is called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required
# for operation. (#67032, #594393)
#
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/inews news:news 2555
/usr/lib/news/bin/innbind root:news 4550

#
# sendfax
#
# restrictive, only for "trusted" group users:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4755
/var/spool/fax/outgoing/ fax:root 0755
/var/spool/fax/outgoing/locks fax:root 0755

#
# uucp
#
/var/spool/uucppublic/ root:uucp 1770
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555

# pcp (bnc#782967)
/var/lib/pcp/tmp/ root:root 0755
/var/lib/pcp/tmp/pmdabash/ root:root 0755
/var/lib/pcp/tmp/mmv/ root:root 0755
/var/lib/pcp/tmp/pmlogger/ root:root 0755
/var/lib/pcp/tmp/pmie/ root:root 0755

# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750

# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755

# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# dbus-1 in /usr #1056764)
/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750

# policycoreutils (#440596)
/usr/bin/newrole root:root 0755

# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
# bsc#1120650
/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755
# (bnc#533550)
/usr/lib/virtualbox/VBoxNetAdpCtl root:vboxusers 0755
# bnc#669055
/usr/lib/virtualbox/VBoxNetDHCP root:vboxusers 0755
# bsc#1033425
/usr/lib/virtualbox/VBoxNetNAT root:vboxusers 0755

# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 0755

# lockdev (bnc#588325)
/usr/sbin/lockdev root:lock 2755

# hawk (bnc#665045)
/usr/sbin/hawk_chkpwd root:haclient 4750
/usr/sbin/hawk_invoke root:haclient 4750

# chromium (bnc#718016)
/usr/lib/chrome_sandbox root:root 4755

# ecryptfs-utils (bnc#740110)
/sbin/mount.ecryptfs_private root:root 0755

# wireshark (bsc#957624)
/usr/bin/dumpcap root:wireshark 0750
+capabilities cap_net_raw,cap_net_admin=ep

# singularity (bsc#1028304)
# these have been dropped in version 2.4 (see bsc#1111411, comment 4)
#/usr/lib/singularity/bin/expand-suid root:singularity 4750
#/usr/lib/singularity/bin/create-suid root:singularity 4750
#/usr/lib/singularity/bin/export-suid root:singularity 4750
#/usr/lib/singularity/bin/import-suid root:singularity 4750
/usr/lib/singularity/bin/action-suid root:singularity 4750
/usr/lib/singularity/bin/mount-suid root:singularity 4750
/usr/lib/singularity/bin/start-suid root:singularity 4750

/usr/bin/su root:root 4755
/usr/bin/mount root:root 4755
/usr/bin/umount root:root 4755

# cdrecord of cdrtools from Joerg Schilling (bnc#550021)
# in secure mode, no provisions are made for reliable cd burning, as admins
# will have very likely prohibited that anyway.
/usr/bin/cdrecord root:root 755
/usr/bin/readcd root:root 755
/usr/bin/cdda2wav root:root 755

# qemu-bridge-helper (bnc#765948, bsc#988279)
/usr/lib/qemu-bridge-helper root:kvm 04750

# systemd-journal (bnc#888151)
/var/log/journal/ root:systemd-journal 2755

#iouyap (bnc#904060)
/usr/lib/iouyap root:iouyap 0750

# radosgw (bsc#943471)
/usr/bin/radosgw root:www 0750
+capabilities cap_net_bind_service=ep

# gstreamer ptp (bsc#960173)
/usr/lib/gstreamer-1.0/gst-ptp-helper root:root 0755
+capabilities cap_net_bind_service=ep

#
# suexec is only secure if the document root doesn´t contain files
# writeable by wwwrun. Make sure you have a safe server setup
# before setting the setuid bit! See also
# https://bugzilla.novell.com/show_bug.cgi?id=263789
# http://httpd.apache.org/docs/trunk/suexec.html
# You need to override this in permissions.local.
# suexec2 is a symlink for now, leave as-is
#
/usr/sbin/suexec root:root 0755

# newgidmap / newuidmap (bsc#979282, bsc#1048645)
/usr/bin/newgidmap root:shadow 4755
/usr/bin/newuidmap root:shadow 4755

# kwayland (bsc#1062182)
/usr/bin/kwin_wayland root:root 0755
+capabilities cap_sys_nice=ep

# gvfs (bsc#1065864)
/usr/lib/gvfs/gvfsd-nfs root:root 0755

# icinga2 (bsc#1069410)
/run/icinga2/cmd icinga:icingagmd 2750

# fping (bsc#1047921)
/usr/sbin/fping root:root 0755
+capabilities cap_net_raw=ep

# usbauth (bsc#1066877)
/usr/bin/usbauth-npriv root:usbauth 04750
/usr/lib/usbauth-notifier root:usbauth-notifier 0750
/usr/lib/usbauth-notifier/usbauth-notifier root:usbauth 02755

# spice-gtk (bsc#1101420)
/usr/bin/spice-client-glib-usb-acl-helper root:kvm 04750

# smc-tools (bsc#1102956)
/usr/lib/libsmc-preload.so root:root 04755
/usr/lib64/libsmc-preload.so root:root 04755

# lxc (bsc#988348)
/usr/lib/lxc/lxc-user-nic root:kvm 04750

# firejail (bsc#1059013) /usr/bin/firejail root:firejail 04750 # For this, surfuser must be member of the primary group named firejail of firejail !

# authbind (bsc#1111251)
/usr/lib/authbind/helper root:root 04755

# fuse3 (bsc#1111230)
/usr/bin/fusermount3 root:trusted 04750

# 389-ds (bsc#1111564)
/usr/sbin/ns-slapd root:dirsrv 0750
/ root:root 111
/home root:root 711
/home/user user:user 700
/home/surfuser surfuser:surfuser 700
/home/toranonym toruser:torgroup 700
/usr/src root:root 700
/usr/lib64 root:root 751
/usr/lib64/kde4 root:root 751
/usr root:root 755
/bin root:root 751
/sbin root:root 751
/lib64 root:root 751
/lib root:root 751
/root root:root 700
/initrd root:root 751
/misc root:root 751
/boot-save root:root 000
/usr/games root:root 751
/net root:root 751
/secoff root:root 710
/sid-root root:root 700
/srv root:root 751
/sys root:root 751
/var root:root 751
/mnt root:root 755
/media root:root 711
/initrd root:root 751
/etc/security/msec/*.secure root:root 751
/usr/local root:root 755
/usr/local/Brother root:root 755
/GenuineIntel.bin root:root 710
/Module.symvers root:root 751
/usr/lib/cups root:sys 755
/usr/share/cups root:sys 755
/etc/cups root:sys 755
/smack root:root 700
/usr/share root:root 755
/usr/share/* root:root 755
/usr/libexec root:root 751
/usr/libexec/* root:root 755
/usr/lib64/kde4 root:root 751
/home/user/Dokumente user:user 700
/home/user/Dokumente/* user:user 700
/home/user/.kde4 user:user 700
/home/user/.kde4/* user:user 700
/home/user/.kde4/share/apps/kmail/mail user:user 700
/home/user/.kde4/share/apps/kmail/mail/*/*/* user:user 700
/home/surfuser/.mozilla surfuser:surfuser 100
/var/cache root:root 755
/var/cache/cups root:sys 775
/var/cache/cups/ppds.dat lp:sys 755
/var/cache/cups/job.cache root:sys 755
/var/cache/cups/help.index lp:sys 755
/var/cache/pdnsd pdnsd:pdnsd 755
/var/cache/pdnsd/pdnsd.cache pdnsd:pdnsd 755
/var/cache/coolkey root:root 755
/var/cache/urpmi root:root 755
/var/cache/apparmor root:root 755
/home/uuidd uuidd:uuidd 700
/usr/libexec root:root 755
/usr/lib/cups/filter root:sys 755 # Gruppe sys, abhängig von /etc/cups/cupsd.conf
/usr/lib/cups/filter/* root:sys 755
/usr/lib/cups/driver root:sys 755
/usr/lib/cups/driver/* root:sys 755
/usr/share/cups/ root:sys 755
/usr/share/cups/* root:sys 755
/usr/share/cups/model/ root:sys 755
/var/spool root:root 755
/var/spool/MailScanner root:root 755
/usr/lib/cups/filter/* root:sys 755
/usr/lib/cups/driver/* root:sys 755
/usr/share/cups/* root:sys 755
/etc/cups root:sys 755
/etc/cups/* root:sys 755
/var/cache/cups root:sys 775
/var/cache/cups/rss root:sys 775
/lib64/ld*.so root:root 755
/lib64/libc-*.so root:root 755
/usr/lib64/kde4 root:root 751
/usr/lib64/kde4/* root:root 755
/usr/share root:root 755
/usr/games root:root 751
/etc/security/msec/*.secure root:root 751
/usr/local root:root 755
/usr/share/* root:root 755


Start permissions for example in /etc/rc.local: chkstat --set --no-fscaps /etc/permissions # rpm "permissions" from OpenSuSE (even possible for CentOS 6)
chkstat --set --no-fscaps /etc/permissions.secure # configuration from right above
chkstat --set --no-fscaps /etc/permissions.local # ... but configure it at first!

OKCAPABILITIES
capsh, getcap, setcap, ...
linux - Using capsh to drop all capabilities - Stack Overflow
root: All caps are assigned to root by default !
pub enum Capability { CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP Drops the capability for the current process via a call to cap_drop_bound.0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37...
Capabilities:
capsh --print Current: = Bounding set = Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=10101(u0_a101) gid=10101...
/etc/permissions.secure :
...
/usr/sbin/pinger squid:root 0750
+capabilities cap_net_raw=ep
...
/usr/bin/ping root:root 0755
+capabilities cap_net_raw=ep
...
stackoverflow.com/questions/28811823/using-capsh-to-drop-all-capabilities

OK/etc/rc.local (complete, vollständig)
#!/bin/sh
#
### BEGIN INIT INFO
# Provides: rc.local
# X-Mandriva-Compat-Mode
# Default-Start: 2 3 4 5
# Short-Description: Local initialization script
# Description: This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don´t
# want to do the full Sys V style init stuff.
### END INIT INFO
sysctl -p /etc/sysctl.conf
auditctl -e0
echo 1 > /sys/devices/system/cpu/microcode/reload
# microcode_ctl -Qu
sh /usr/libexec/microcode_ctl/reload_microcode
hdparm -W1a0A0 /dev/sda # mausklick-schnelle SSD am S-ATA-Port, beachte die Anschlussnummer (1: sda, 2: sdb, ...)
echo deadline > /sys/block/sdb/queue/scheduler
echo 500 > /proc/sys/vm/dirty_writeback_centisecs
echo 20 > /proc/sys/vm/dirty_ratio
echo 5 > /proc/sys/vm/dirty_background_ratio
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "" > /etc/securetty
# https://en.wikipedia.org/wiki/TCP_congestion-avoidance_algorithm # cat /proc/sys/net/ipv4/tcp_congestion_control
# modprobe tcp_htcp
modprobe sch_fq_codel
modprobe tcp_cubic
# modprobe tcp_bbr
# echo sch_fq_codel > /proc/sys/net/core/default_qdisc
echo cubic > /proc/sys/net/ipv4/tcp_congestion_control
macchanger --mac=ac:22:ca:00:00:c1 eth0
echo sch_fq_codel > /proc/sys/net/core/default_qdisc
xhost -
xhost +si:localuser:user
xhost -inet6:user@
xhost -nis:user@
xhost - 192.168.178.1
xhost - 192.168.178.40
# echo 1 > /proc/sys/net/ipv4/conf/all/hidden # or net.ipv4.conf.all.hidden=1 within /etc/sysctl.conf
# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
# echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
# echo 0 > /proc/sys/net/ipv4/conf/all/shared_media
# echo 1 > /proc/sys/net/ipv4/conf/eth0/secure_redirects
# echo 0 > /proc/sys/net/ipv4/conf/eth0/shared_media
touch /var/lock/subsys/local
modprobe usblp
modprobe usb_storage
ifconfig eth0 -multicast
ifconfig lo -multicast
ifconfig lo -broadcast
ip link set eth0 multicast off
ip link set lo multicast off
sh /etc/init.d/ip6tables restart # wenn iptables-ipv6 (el6) neben iptables (el6) installiert worden ist; Der gesamte Traffic innerhalb des neuen Adressraums IPv6 wird auf INPUT, OUTPUT und FORWARD mit Linfw3 geblockt, siehe Regeln innerhalb /etc/sysconfig/ip6tables. Anstelle dieses totalen Blocks können alle IPv4-Regeln von Linfw3 in /usr/local/LINFW3.sh nach /etc/sysconfig/ip6tables übernommen werden, indem ipt="iptables" mit ipt="ip6tables" ausgestauscht wird. Überprüfe außerdem, ob /sbin/ip6tables* richtig mit /sbin/ip6tables-multi verlinkt ist.
mount -t securityfs -o rw,noatime /sys/kernel/security /mnt2
#sh /etc/init.d/syslog start
sh /etc/init.d/rsyslog start
cp -fp /etc/hosts.savenew /etc/hosts
cp -fp /etc/pdnsd-savenew.conf /etc/pdnsd.conf
# cp -fp /boot-save/ifcfg-eth0* /etc/sysconfig/network-scripts/
cp -fp /boot-save/70-persistent-net.rules /etc/udev/rules.d/
export RESOLV_HOST_CONF="/etc/hosts"
# sh /etc/init.d/incrond start
# sh /etc/init.d/noflushd start
# gpg-agent --daemon --use-standard-socket
# atieventsd
# dhclient -4 -cf /etc/dhcp/dhclient.conf eth0 &
# NetworkManager --log-level=ERR
# preload
# ifup eth0
# acpid&
# dnssec-triggerd
# unbound -dv -c /etc/unbound/unbound.conf
# tcpd &
# sh /etc/init.d/xfs start
# sh /etc/init.d/psad start
# paxctld -c /etc/paxctld.conf -d -p /var/run/paxctld
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 192.168.178.1 -l --tcp-port 443 /dev/null
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 208.67.222.222 --tcp-port 443 -l /dev/null
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 213.73.91.35 --tcp-port 443 -l /dev/null
# cp -fp /var/cache/pdnsd.cache /var/cache/pdnsd-savenew.cache
# speechd
# artsd&
# killall plymouthdxhost -
# sh /etc/init.d/lpd start
# redshift -l 60:10 -t 6500K:6200K&
sh /etc/init.d/modules-disabled start# kernel.modules_disabled=1, here after 45 seconds
chkstat --set --no-fscaps /etc/permissions # rpm permissions form OpenSuSE
chkstat --set --no-fscaps /etc/permissions.secure
#apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.firefox &
#apparmor_parser -af /etc/apparmor/profiles/sbin.dhclient &
#apparmor_parser -af /etc/apparmor/profiles/usr.bin.man &
#apparmor_parser -af /etc/apparmor/profiles/usr.bin/passwd &
#apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.sh &
# /usr/lib64/apparmorapplet&
unshare apparmor-dbus &
echo "ALLOW_REBOOT=yes" >> /etc/security/msec/security.conf
echo "BASE_LEVEL=secure" > /etc/security/msec/security.conf
echo "ENABLE_STARTUP_MSEC=yes" > /etc/security/msec/security.conf
echo "ENABLE_STARTUP_PERMS=enforce" > /etc/security/msec/security.conf
msec -f secure # msec: rpm from Mandriva Linux and Rosalabs
# chmod 666 /dev/usb/lp0 # besser: Sämtliche chown und chmod in /etc/permissions.secure in der vorgesehenen Form eintragen!
chown pdnsd:pdnsd -R /var/cache/pdnsd
chmod 755 /var/cache/pdnsd/pdnsd.cache
chown root:root /etc/hosts
chmod 400 /usr/local/key
chmod 644 /etc/hosts
chmod 111 /
chmod 751 /etc
chmod 755 /etc/sysconfig/network
chmod 755 /etc/sysconfig/network-scripts
chmod 400 /etc/shadow*
chmod 400 /etc/fstab*
chmod 700 /etc/crypttab*
chmod 700 /etc/mtab*
chmod 711 /home
chmod 700 /home/user
chmod 700 /home/surfuser
chmod 700 -R /home/surfuser/.mozilla
chown root:root /home/surfuser/.mozilla/firefox/profile.default/user.js
chmod 755 /home/surfuser/.mozilla/firefox/profile.default/user.js
chown root:root /home/surfuser/.mozilla/firefox/prefs.js
chmod 755 /home/surfuser/.mozilla/firefox/prefs.js
chmod 700 -R /home/surfuser/.moon*
chmod 700 -R /usr/src
chmod 751 /etc/X11
chmod 751 /usr/lib64
chmod 751 /usr/lib64/kde4
chmod 700 /home/toruser
chmod 700 -R /home/user/Dokumente
chmod 700 /home/uuidd
chmod 400 /usr/local/ke*
chmod 755 /usr
chmod 751 /bin
chmod 751 /sbin
chmod 751 /lib64
chmod 751 /opt
chmod 751 /lib
chmod 700 /root
chmod 700 -R /etc/init.d
chmod 751 /initrd
chmod 751 /misc
chmod 700 -R /boot-save
chmod 644 /etc/passwd
chmod 751 /usr/games
chmod 751 /net
chmod 710 /secoff
chmod 700 /sid-root
chmod 700 /smack
chmod 751 /srv
chmod 751 /sys
chmod 700 /typo3i*
chmod 751 /var
chmod 700 /lost*found
chmod 710 /intel-ucode*
chmod 751 /initrd
chmod 710 /GenuineIntel.bin
chmod 751 /etc/security/msec/*.secure
chmod 751 /Module.symvers
rm -df /home/surfuser/.Xauth*.*
rm -df /home/surfuser/.xauth*
rm -df /home/toruser/.xauth*
rm -df /home/toruser/.Xauth*.*
rm -df /home/user/.kde4/share/apps/kmail/mail/Spam/cur/*
rm -df /var/spool/cups/a*
rm -df /var/spool/cups/b*
rm -df /var/spool/cups/c*
rm -df /var/spool/cups/d*
rm -df /var/spool/cups/e*
rm -df /var/spool/cups/f*
rm -df /var/spool/cups/g*
rm -df /var/spool/cups/h*
rm -df /var/spool/cups/i*
rm -df /var/spool/cups/j*
rm -df /var/spool/cups/k*
rm -df /var/spool/cups/l*
rm -df /var/spool/cups/m*
rm -df /var/spool/cups/o*
rm -df /var/spool/cups/p*
rm -df /var/spool/cups/q*
rm -df /var/spool/cups/r*
rm -df /var/spool/cups/s*
rm -df /var/spool/cups/u*
rm -df /var/spool/cups/v*
rm -df /var/spool/cups/w*
rm -df /var/spool/cups/x*
rm -df /var/spool/cups/y*
rm -df /var/spool/cups/z*
echo ´V´ > /dev/watchdog
sh /etc/init.d/dosetfacls start# Script dosetfacls right up in the following
exit


OKAlso create file (runlevel-init-script)
/etc/init.d/dosetfacls


OKErzeuge noch
/etc/init.d/dosetfacls


#!/bin/sh
#
# This is file /etc/rc.d/init.d/linfw3 and was put here
# by the linfw3 rpm
#
# chkconfig: 2345 92 36
#
# description: secure iptables based firewall against all hacker and trojans \
# evtl. change chkconfig Number!
#

# ********************************************************************
#
# File : DOLLARSIGNSource: /cvsroot/ijbswa/current/linfw3.init,v $
#
# Purpose : This shell script takes care of starting and stopping
# linfw3.
#
# Copyright : Written by Gooken
# http://www.gooken.de
#
#
#
# ********************************************************************/


# Source function library.
. /etc/rc.d/init.d/functions

start () {
# start daemon
setfacl -m u:-1:- /* # There is an unnamed (!) process starting from time to time by user so called "-1, root".... listed on the buttom of the listing from ps -aux (gamin, FAM?)
setfacl -m u:-1:- /mnt
setfacl -m u:-1:- /media
setfacl -m u:apache:- /home/user
setfacl -m u:apache:- /home/surfuser
setfacl -m u:apache:- /home/toranonym
setfacl -m u:apache:- /mnt
setfacl -m u:apache:- /media
setfacl -m u:surfuser:- /etc/shadow*
setfacl -m u:toranonym:- /etc/shadow*
setfacl -m u:surfuser:- /etc/fstab*
setfacl -m u:surfuser:- /etc/mtab*
setfacl -m u:surfuser:- /etc/crypttab*
setfacl -m u:toranonym:- /etc/fstab*
setfacl -m u:toranonym:- /etc/mtab*
setfacl -m u:toranonym:- /etc/crypttab*
setfacl -m u:surfuser:- /etc/init.d
setfacl -m u:surfuser:- /etc/init.d/*
setfacl -m u:toranonym:- /etc/init.d
setfacl -m u:toranonym:- /etc/init.d/*
setfacl -m u:surfuser:- /etc/rc0.d
setfacl -m u:surfuser:- /etc/rc1.d
setfacl -m u:surfuser:- /etc/rc2.d
setfacl -m u:surfuser:- /etc/rc3.d
setfacl -m u:surfuser:- /etc/rc4.d
setfacl -m u:surfuser:- /etc/rc5.d
setfacl -m u:surfuser:- /etc/rc6.d
setfacl -m u:surfuser:- /etc/rc.local
setfacl -m u:toranonym:- /etc/rc0.d
setfacl -m u:toranonym:- /etc/rc1.d
setfacl -m u:toranonym:- /etc/rc2.d
setfacl -m u:toranonym:- /etc/rc3.d
setfacl -m u:toranonym:- /etc/rc4.d
setfacl -m u:toranonym:- /etc/rc.local
setfacl -m u:surfuser:- /etc/security/msec
setfacl -m u:surfuser:- /etc/security
setfacl -m u:toranonym:- /etc/security
setfacl -m u:toranonym:- /etc/security/msec
setfacl -m u:surfuser:- /etc/crypttab*
setfacl -m u:surfuser:- /usr/bin/*
setfacl -x surfuser /usr/bin/bash*
setfacl -x surfuser /usr/bin/unshare
setfacl -x surfuser /usr/bin/firejail*
setfacl -x surfuser /usr/bin/firefox*
setfacl -x surfuser /usr/bin/gftp*
setfacl -x surfuser /usr/bin/tor*
setfacl -x surfuser /usr/bin/xauth*
setfacl -x surfuser /usr/bin/xargs*
setfacl -x surfuser /usr/bin/sg*
setfacl -x surfuser /usr/bin/palemoon*
setfacl -x surfuser /usr/bin/export
setfacl -m u:surfuser:- /usr/libexec
setfacl -m u:surfuser:- /usr/sbin
setfacl -m u:surfuser:--x /bin
setfacl -m u:surfuser:- /bin/*
setfacl -m u:surfuser:- /sbin
setfacl -x surfuser /bin/bash*
setfacl -x surfuser /bin/certtool
setfacl -x surfuser /bin/certutil
setfacl -x surfuser /bin/basename
setfacl -x surfuser /bin/bash.old
setfacl -x surfuser /bin/p11tool
setfacl -x surfuser /bin/pk12util
setfacl -x surfuser /bin/smime
setfacl -x surfuser /bin/shlibsign
setfacl -x surfuser /bin/sign*
setfacl -x surfuser /bin/ssltap*
setfacl -m u:surfuser:--x /home/surfuser
setfacl -m u:toranonym:- /home/surfuser
setfacl -m u:surfuser:- /usr/local
setfacl -m u:surfuser:- /opt
setfacl -m u:surfuser:--x /lib64
setfacl -m u:surfuser:--x /usr/lib64
setfacl -m u:surfuser:--x /lib
setfacl -m u:surfuser:--x /usr/lib
setfacl -m u:surfuser:- /misc
setfacl -m u:surfuser:- /net
setfacl -m u:surfuser:- /sid-root
setfacl -m u:surfuser:--x /etc
setfacl -m u:surfuser:- /intel-ucode
setfacl -m u:surfuser:--x /secoff
setfacl -m u:surfuser:- /smack
setfacl -m u:surfuser:- /srv
setfacl -m u:surfuser:- /--tcp-port
setfacl -m u:surfuser:- /initrd
setfacl -m u:surfuser:- /ttf
setfacl -m u:surfuser:- /none
setfacl -m u:surfuser:- /doc
setfacl -m u:surfuser:- /firejail
setfacl -m u:surfuser:- /root
setfacl -m u:surfuser:- /usr/lib64/kde4/*
setfacl -x surfuser /usr/lib64/kde4/libexec
setfacl -m u:surfuser:- /usr/lib64/kde4/libexec/*
setfacl -x surfuser /usr/lib64/kde4/libexec/kdesu*
return
}

case "DOLLARSIGN1" in start)
start
;;
*)
gprintf "Usage: %s {start|stop|restart|status} " "DOLLARSIGNLINFW3_PRG"
exit 1
esac

exit DOLLARSIGNRETVAL


Notice: toranonym is our elder account for tor. Now it´s surfuser too - as general for browsing, but can be used for more privilidges, for many, many processes like for chats or global mapping like marble. surfuser only is enough - just reset belonging setfacl process by process to allow by option -x
Exchange DOLLARSIGN again with the dollar-character... and start it each boot within /etc/rc.local by the command "sh /etc/init.d/dosetfacls start" !


OKChange File Attributes (chattr) for example for data integrity ( option -i )
man chattr
User-Extended-Attributes must be set for the belonging partitions!

chattr +i -R /boot
chattr +i /etc/hosts*
chattr +i /etc/fstab
chattr +i /home/surfuser/.mozilla
chattr +i /home/surfuser/.mozilla/firefox/*.js
chattr +i /home/surfuser/.mozilla/firefox/profile.default/user.js
chattr +i /home/surfuser/torrc
chattr +i /home/surfuser/geoip*


... und create as described further above the belonging two runlevel-init-scripts (daemons) in /etc/init.d namens rc.local and dosetfacl.
Register those two scripts and active them by default in higher runlevels:

chkconfig --add rc.local && chkconfig --add dosetfacl

Advantage: regardless from packet-installations, significant ACL-access-rights were set each system boot. This keeps the system secure and makes it mouse-click-fast.

Additionally, the grsecurity-patches for the kernel (resp. root-kernel-processes), login-lock /sbin/nologin and password-protection and locking of all system- and user-accounts excecpt surfuser (and maybe a separate toruser), Sandbox Firejail (especially for the lock of the shells/terminals) and Firewall Linfw3 get in use too, beneath Tor resp. the tor-browser with firefox-extensions for script-filtering like ABP, noscript and RequestPolicyBlockContinued and more get in use too.

Set setfacl -m u:surfuser:- /usr/bin/* except for /usr/bin/bash, /usr/bin/firefox, /usr/bin/firejail, /usr/bin/sg, /usr/bin/proftp*, /usr/bin/tor*, /usr/bin/export, /usr/bin/xauth*, /usr/bin/xarg* and all communication programs, surfuser should be able to use.

OKrsyslog anstelle syslogd

Rsyslog is an enhanced multi-threaded syslogd supporting, among others, MySQL, PostgreSQL, syslog/tcp, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control. It is quite compatible to stock sysklogd and can be used as a drop-in replacement. Its advanced features make it suitable for enterprise-class, encryption protected syslog relay chains while at the same time being very easy to setup for the novice user. o lmnet.so - Implementation of network related stuff. o lmregexp.so - Implementation of regexp related stuff. o lmtcpclt.so - This is the implementation of TCP-based syslog clients. o lmtcpsrv.so - Common code for plain TCP based servers. o imtcp.so - This is the implementation of the TCP input module. o imudp.so - This is the implementation of the UDP input module. o imuxsock.so - This is the implementation of the Unix sockets input module. o imklog.so - The kernel log input module for Linux. o immark.so - This is the implementation of the build-in mark message input module. o imfile.so - This is the input module for reading text file data.

You have to delete all *syslog*-init-script-files out of /etc/rc*.d/ and /etc/init.d/ .

/etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####

DollarsignModLoad imuxsock # provides support for local system logging (e.g. via logger command)
Dollarsignimklog # provides kernel logging support (previously done by rklogd)
#DollarsignModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#DOLLARSIGNModLoad imudp
#DOLLARSIGNUDPServerRun 514
# Provides TCP syslog reception
#DOLLARSIGNModLoad imtcp
#DOLLARSIGNInputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
DOLLARSIGNActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#DOLLARSIGNActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
DOLLARSIGNIncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don´t log private authentication messages!
*.warn;mail.none;news.none;authpriv.none;cron.none /tmp/messages
# The authpriv file has restricted access.
authpriv.* /tmp/secure
# Log all the mail messages in one place.
mail.* -/tmp/maillog
# Log cron stuff
cron.* /tmp/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /tmp/spooler
# Save boot messages also to boot.log
local7.* /tmp/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#DOLLARSIGNWorkDirectory /var/lib/rsyslog # where to place spool files
#DOLLARSIGNActionQueueFileName fwdRule1 # unique name prefix for spool files
#DOLLARSIGNActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#DOLLARSIGNActionQueueSaveOnShutdown on # save messages to disk on shutdown
#DOLLARSIGNActionQueueType LinkedList # run asynchronously
#DOLLARSIGNActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
#
# INN
#
news.=crit /tmp/news/news.crit
news.=err /tmp/news/news.err
news.notice /tmp/news/news.notice
news.=debug /tmp/news/news.debug


OK/proc/sys/* - Kernel-flags &Co.: detailed configuration
sysctl.conf - variables are files out of /proc/sys
check settings by "sysctl -a"
# Kernel sysctl configuration file
# /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Kernel sysctl configuration file for CentOS and Mandriva Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# /etc/sysctl.conf
# additionally from http://joshrendek.com/2013/01/securing-ubuntu/ resp. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
# Turn on execshild
# kernel.exec-shield = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_congestion_control=cubic
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
# kernel.modules_disabled=0
# kernel.exec-shield=1
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0
# If the kptr_restrict value is 0, kernel addresses are provided without limitations (recommended).
# If the kptr_restict value is 1, addresses are provided if the current user has a CAP_SYSLOG
# capability.
# If the kptr_restrict value is 2, the kernel addresses are hidden regardless of privileges the
# current user has.

kernel.kptr_restrict=2
kernel.dmesg_restrict = 1
# kernel.yama.ptrace_scope=3
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
dev.cdrom.autoeject=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward =0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog =512
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.shared_media = 0
net.ipv4.conf.eth0.secure_redirects=1
net.ipv4.conf.eth0.shared_media=0

​# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.eth0.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.router_solicitations=0
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.dad_transmits=0
net.ipv6.conf.default.max_addresses=0
#
# ls /lib/modules/`uname -r`/kernel/net/ipv4/
# modprobe tcp_htcp
# modprobe tcp_cubic
# modprobe tcp_bbr
# net.core.default_qdisc=sch_fq_codel
net.ipv4.tcp_congestion_control=cubic
# BBR

# net.core.default_qdisc=fq
# net.ipv4.tcp_congestion_control=bbr

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.somaxconn=65535
net.core.optmem_max=25165824
net.core.rmem_max =212992
net.core.wmem_max =212992
net.core.rmem_default =212992
net.core.wmem_default =212992
net.core.netdev_max_backlog = 1000
#
kernel.sysrq = 0
kernel.core_uses_pid = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max=65535
fs.protected_hardlinks=1
fs.protected_symlinks=1
fs.protected_regular=1
# fs.protected_fifos=1 # this might cause overflow of processes akonadi_maildir: system runs out of capacities
# fs.dir-notify-enable=0
# fs.mount-max=20
fs.suid_dumpable=0
# The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max=65536
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 3294967295
kernel.shmall = 3294967295
kernel.randomize_va_space = 2

net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
vm.overcommit_memory =2
vm.overcommit_ratio=200
# or: vm.overcommit_kbytes=
vm.page-cluster =3
vm.oom_dump_tasks =0
vm.dirty_ratio=20
vm.dirty_writeback_centisecs=500
vm.dirty_background_ratio=5

kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
kernel.printk =0 6 1 3
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
kernel.shmall =-1
# If the kptr_restrict value is 0, kernel addresses are provided without limitations (recommended).
# If the kptr_restict value is 1, addresses are provided if the current user has a CAP_SYSLOG capability.
# If the kptr_restrict value is 2, the kernel addresses are hidden regardless of privileges the current user has.
kernel.kptr_restrict=2
# ptrace: process tracing
# kernel.yama.ptrace_scope=3
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_timestamps=0
net.ipv4.conf.all.log_martians=1
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_congestion_control=cubic
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.all.shared_media=0
net.ipv4.conf.eth0.secure_redirects=1
net.ipv4.conf.eth0.shared_media=0

# The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576


http://www.linux-admins.net/2010/09/all-you-need-to-know-about-procsys.html
Example for ulimit, ulimit -a and sysctl -a, https://forum.altlinux.org/index.php?topic=4786.0

Link

ln -sf /usr/sbin/sysctl /sbin/sysctl

Test sysctl.conf: sysctl -p /etc/sysctl.conf and activate an error-free sysctl by daemon or in /etc/rc.local

sysctl -p /etc/sysctl.config

OKDisable Unwanted SUID- and SGID-Binaries
All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows:
#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / ( -perm -4000 -o -perm -2000 ) -print
find / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for further details.
https://www.cyberciti.biz/tips/linux-security.html

OKHow to Remove (Delete) Symbolic Links in Linux, linuxize.com, 09.05.2019
A symbolic link, also known as a symlink, is a special type of file that points to another file or directory. It is something like a shortcut in Windows. A symlink can point to a file or a directory on the same or a different filesystem or partition.
In this guide, we will show you how to remove (delete) symbolic links in Linux/UNIX systems using the rm, unlink, and find commands.
...
find /path/to/directory -maxdepth 1 -xtype l
https://linuxize.com/post/how-to-remove-symbolic-links-in-linux/


OKSafe-Linking: Making Linux exploitation harder, itweb.co.za, 05.22.2020
Businesses and users alike are constantly on the lookout for easier ways to do things, and shortcuts that help us work faster and with less effort. Unfortunately, bad actors are no different, and are always hunting for existing vulnerabilities or weaknesses, that can be exploited.
[...] A good example of this would be memory corruption attacks, which are often employed to exploit programs written in Linux, the most widely-used open source operating system in the world.
With this in mind, Check Point has created Safe-Linking, a security mechanism to protect the internal structure of the heap – or the portion of memory that is not set to a constant size before compilation and can be controlled dynamically by a programmer – from being tampered with.
[...] Simply put, Safe-Linking removes the address data for the program, so the bad actor can no longer be sure where in the system’s memory it will be loaded – making it much harder for them to launch an exploit against the program,” the company adds.
https://www.itweb.co.za/content/Kjlyrvw1ejVMk6am
https://reportcybercrime.com/safe-linking-making-linux-exploitation-harder/

Check Point schließt 20 Jahre alte Sicherheitslücke in Linux, trojaner-info.de, 26.05.2020
Das Check Point Research Team führt eine neue Schutzmaßnahme für das Betriebssystem ein, die sich Safe-Linking nennt. Uralte Schwachstelle endlich geschlossen.
Das Check Point Research Team führt eine neue Sicherheitsmethode ein, um Linux-Systeme um einiges sicherer zu machen. Den Sicherheitsforschern gelang es, eine 20 Jahre alte und bestens bekannte Sicherheitslücke endlich zu schließen.
https://www.trojaner-info.de/sicher-anonym-im-internet/aktuelles/check-point-schliesst-20-jahre-alte-sicherheitsluecke-in-linux.html

[...] In our latest research, we created a security mechanism, called "Safe-Linking", to protect malloc()’s single-linked lists from tampering by an attacker. We successfully pitched our approach to maintainers of core open-source libraries, and it is now integrated into the most common standard library implementation: glibc (Linux) and its popular embedded counterpart: uClibc-NG.
https://www.terabitweb.com/2020/05/21/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive/

OKUser auditing - The Big Brother is watching you
If you are really paranoid you might want to add a system-wide configuration to audit, what the users are doing in your system. This sections presents some tips using diverse utilities you can use.

- Input and output audit with script, 4.11.10.1
- Using the shell history file, 4.11.10.2
- Complete user audit with accounting utilities, 4.11.10.3
- Other user auditing methods, 4.11.10.4
- Reviewing user profiles, 4.11.11
- Limiting what users can see/access, 4.11.13
- Limiting access to other user´s information, 4.11.13.1
- Generating user passwords, 4.11.14
- Checking user passwords

OKkauditd and auditd: Linux Audit Kernel Subsystem and Linux Audit System
Who does audit the code?

kauditd: internal kernel-auditing, for example of windows-titles out of Firefox online.


Kernel-interner audit-Daemon kauditd: URL, Webseiten-Inhalte: Fentstertitel, ... (online mit Browsern wie Firefox)


"00:00:12 [kauditd] dbadmin 4182 1 4182 0 1 May18 00:02:19 /opt/vertica/spread/sbin/spread -c /home/dbadmin/DatabaseName/v_DatabaseName_node0001_catalog/spread.conf..."
https://forum.vertica.com/discussion/236239/vertica-service-not-starting-after-server-reboot

kauditd is a kernel process, which is a part of the Linux kernel responsible for the kernel audit events (and communicates with the auditd process). The special brackets surrounding it are telling you that this is not a regular (userland) process (launched through a command), but a kernel process (started/managed by the Linux kernel itself)
https://wiki.gentoo.org/wiki/SELinux/Tutorials/The_security_context_of_a_process
The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:

System startup and shutdown events (reboot / halt).
Date and time of the event.
User respoisble for the event (suh as trying to access /path/to/topsecret.dat file).
Type of event (edit, access, delete, write, update file &commands).
Success or failure of the event.
Records events that modify date and time.
Find out who made changes to modify the system´s network settings.
Record events that modify user/group information.
See who made changes to a file etc.

See our quick tutorial which explains enabling and using the auditd service.
https://www.cyberciti.biz/tips/linux-security.html

OKkauditd und auditd: Kernel- und Linux Audit System
Who does audit the audit code?


How to use Auditing System in Linux - Configure, Audit Logs and ...
Well, the Linux Auditing system is the answer for all the above questions. The Linux Auditing system allows an administrator to configure audit rules to monitor the system calls, network access, files etc…and generate a summary report – which can be later analyzed and investigated for suspicious activity.
https://techglimpse.com/how-to-use-auditing-system-in-linux-configure-audit-logs-and-generate-reports/

See our quick tutorial which explains enabling and using the auditd service.
https://www.cyberciti.biz/tips/linux-security.html

The Linux audit subsystem is not one of the best-loved parts of the kernel. It allows the creation of a log stream documenting specific system events — system calls, modifications to specific files, actions by processes with certain user IDs, etc. For some, it is an ideal way to get a handle on what is being done on the system and, in particular, to satisfy various requirements for security certifications (Common Criteria, for example). For others, it is an ugly and invasive addition to the kernel that adds maintenance and runtime overhead without adding useful functionality. More recently, though, it seems that audit adds some security holes of its own. But the real problem, perhaps, is that almost nobody actually looks at this code, so bugs can lurk for a long time.
The system call auditing mechanism creates audit log entries in response to system calls; the system administrator can load rules specifying which system calls are to be logged. These rules can include various tests on system call parameters, but there is also a simple bitmask, indexed by system call number, specifying which calls might be of interest. One of the first things done by the audit code is to check the appropriate bit for the current system call to see if it is set; if it is not, there is no auditing work to be done.
[...] In summary, the code is a giant mess. The way it works is nearly incomprehensible. It contains at least one severe bug. I´d love to see it fixed, but for now, distributions seem to think that enabling CONFIG_AUDITSYSCALL is a reasonable thing to do, and I´d argue that it´s actually a terrible choice for anyone who doesn´t actually need syscall audit rules. And I don´t know who needs these things.

It is telling, though, that this particular vulnerability has existed in the audit subsystem almost since its inception. The audit code receives little in the way of review; most kernel developers simply turn it off for their own kernels and look the other way. But this subsystem is just the sort of thing that distributors are almost required to enable in their kernels; some users will want it, so they have to turn it on for everybody. As a result, almost all systems out there have audit enabled (look for a running kauditd thread), even though few of them are using it. These systems take a performance penalty just for having audit enabled, and they are vulnerable to any issues that may be found in the audit code.
If audit were to be implemented today, the developer involved would have to give some serious thought, at least, to using the tracing mechanism. It already has hooks applied in all of the right places, but those hooks have (almost) zero overhead when they are not enabled. Tracing has its own filtering mechanism built in; the addition of BPF-based filters will make that feature more capable and faster as well. In a sense, the audit subsystem contains yet another kernel-based virtual machine that makes decisions about which events to log; using the tracing infrastructure would allow the removal of that code and a consolidation to a single virtual machine that is more widely maintained and reviewed.
The audit system we have, though, predates the tracing subsystem, so it could not have been based on tracing. Replacing it without breaking users would not be a trivial job, even in the absence of snags that have been glossed over in the above paragraph (and such snags certainly exist). So we are likely stuck with the current audit subsystem (which will certainly not be marked "broken" in the mainline kernel) for the foreseeable future. Hopefully it will receive some auditing of its own just in case there are more old surprises lurking therein.
Posted May 30, 2014 6:50 UTC (Fri) by bnorris (subscriber, #92090) [Link]
&g; As a result, almost all systems out there have audit enabled

DOLLARSIGN grep CONFIG_AUDIT /boot/config-´uname -r´
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y

( You might want to comment them in ... )

> (look for a running kauditd thread)
None here.
&g; even though few of them are using it. These systems take a performance penalty just for having audit enabled, and they are vulnerable to any issues that may be found in the audit code.
I´m not an expert on the kaudit subsystem (in fact, I just learned of it), but it looks like kauditd is only spawned in response to a user-space request for it (e.g. from SELinux auditd). See kernel/audit.c:...
https://lwn.net/Articles/600568/ man auditd
man auditd.conf

Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):


OKauditctl -e0 # for example within /etc/rc.local

Disable auditd permanently (this will require a reboot):

systemctl disable auditd

http://kb.ictbanking.net/article.php?id=632

OKkauditd - CentOS | Forum
kauditd. General support questions including new installations. How to disable kauditd? I tried to put audit=0 to the kernel line in grub, but no luck....
www.centos.org/forums/viewtopic.php?t=10899

kauditd might care for connection even with SELinux from NSA. So why did he had no luck with it? Boot-parameter "audit=0" (for grub: within /boot/grub/menu.lst) does prevent from kernel audit named kauditd ever starting: no auditing like firefox by the kernel anymore!

OKDisable the OOM Killer (process oom_reaper), The Ubuntu Forum Community, Ubuntu Specialised Support, January 2nd, 2014
As the title suggests, regardless of the repercussions, how do you disable this "feature".
Please do not provide alternate suggestions such as "get more ram" or "tell the program to use less memory".
I´m running a Minecraft server that has its heap space and permgen configured to use nearly all of the available memory on the vps where it resides. I have a highly specific reason for doing this and no, it has never caused me any problems in the past.

Yes the OOM Killer is killing the process see: OOM killed process 659 (java) vm:4973220kB, rss:2066504kB, swap:0kB
Who ever thought killing processes that are consuming beyond a specific amount of memory was a good idea, you have caused me and, the users of my server immeasurable levels of frustration. I am no Linux guru, so any help would be appreciated so long as that help reads "To disable the oom-killer do X".
Thank you in advance.

Re: Disable the OOM Killer http://thetechnick.blogspot.com/2010...-on-linux.html http://www.oracle.com/technetwork/ar...r-1911807.html The OOM killer can be completely disabled with the following command. This is not recommended for production environments, because if an out-of-memory condition does present itself, there could be unexpected behavior depending on the available system resources and configuration. This unexpected behavior could be anything from a kernel panic to a hang depending on the resources available to the kernel at the time of the OOM condition.

sysctl vm.overcommit_memory=2 # mouseclick-fast echo "vm.overcommit_memory=2" >> /etc/sysctl.conf

[...] Re: Disable the OOM Killer
Hi, Psionic,
I was having the same difficulties. You report that the oom-killer is still killing your process, I suggest either properly fully disabling the oom-killer or lowering the overcommit ratio, as follows:

Disabling OOM Killer
According to: https://www.kernel.org/doc/Documenta...ups/memory.txt
Code:

You can disable the OOM-killer by writing "1" to memory.oom_control file, as:

# echo 1 > memory.oom_control # (unknown variable by sysctl, remark, Gooken)

Reducing Overcommit Ratio
According to https://www.kernel.org/doc/Documenta...mit-accounting
Code:

2 - Don´t overcommit. The total address space commit for the system is not permitted to exceed swap + a configurable amount (default is 50%) of physical RAM.
Depending on the amount you use, in most situations this means a process will not be killed while accessing pages but will receive errors on memory allocation as appropriate.
Useful for applications that want to guarantee their memory allocations will be available in the future without having to initialize every page.
The overcommit policy is set via the sysctl ´vm.overcommit_memory´.
The overcommit amount can be set via ´vm.overcommit_ratio´ (percentage) or ´vm.overcommit_kbytes´ (absolute value).
There´s a rather good article on this topic http://www.linuxdevcenter.com/pub/a/...ry.html?page=1
Of course, in general if you´re getting processes killed it means there´s a problem with using more memory than the system can cope with, and the symptoms are very likely to come out somewhere else. In my case the oom-killer was definitely picking the right process, even though it was the primary purpose of the whole computer: the program had a data-dependent bug and was allocating memory out of control.
I hope that helps.
Kind regards,
...
https://serverfault.com/questions/606185/how-does-vm-overcommit-memory-work

More about oom_reaper
ttps://stackoverflow.com/questions/35791416/how-to-disable-the-oom-killer-in-linux
https://lwn.net/Articles/666024/
https://lwn.net/Articles/668126/
https://code.woboq.org/linux/linux/mm/oom_kill.c.html
https://www.oracle.com/technical-resources/articles/it-infrastructure/dev-oom-killer.html
https://superuser.com/q/1150215
https://ubuntuforums.org/showthread.php?t=2197016
https://askubuntu.com/q/1188024
https://unix.stackexchange.com/q/432171
https://blog.csdn.net/s_lisheng/article/details/82192613

OKrtkit-daemon (rpm rtkit)
Description: "RealtimeKit is a D-Bus system service that changes the scheduling policy of user processes/threads to SCHED_RR (i.e. realtime scheduling mode) on request. It is intended to be used as a secure mechanism to allow real-time scheduling to be used by normal user processes.".
https://fr2.rpmfind.net/
"I´s...a management daemon so to say. Instead of applications asking the kernel directly (and needing proper permissions for this, usually root) they ask the daemon. The daemon can hand out the realtime permissions then according it its configuration (/etc/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf). It´s simply a helper process that allows applications to ask for realtime permissions through dbus...not really much more. But having such a helper process makes the whole procedure much more secure (no suid root needed for some programs), cleaner (dbus interface) and more flexible (one daemon to configure, not each program with an own configuration..if at all)."

For rtkit isn´t almost needed, as we got told in the internet above, and there are no real dependencies from it, it´ might not be a bad idea to deinstall it:

"rpm -e --nodeps rtkit"

... same eventually with Packagekit (el6), gvfsd (gvfs (el6) and so on: just deinstall them! The less (not really needed daemons do run under root, the more secure the system might behave...

OKnetns, migration/0, kintgerityd, oom_reaper, ... ( one of them lists the actual website-title!)
Kernel-daemons almost can´t get deactivated manually! This might be possible by removing some (not needed) kernel-modules by rmmod, delmod or kernel-configuration only (within file .config).

OKnetns
Running strongSwan in Network Namespaces (netns) on Linux
Normally, the network stack (interfaces, routing tables, firewall rules etc.) is shared by all processes running on an operating system. With Linux network namespaces (netns) it´s possible to have multiple separate instances of the network stack.
Note: While basic support for network namespaces was added to the Linux kernel a long time ago, some features (e.g. CLUSTERIP support) might require a recent kernel.
The easiest way to work with network namespaces is to use the ip command of the iproute2 package. These commands will have to be executed as root (i.e. with sudo on most distros).
Network Namespace Basics
To create a new netns use the following command:

# ip netns add <network namespace name>

A list of all currently defined netns is provided by ip netns list.

Interfaces can be assigned to a netns with the ip link command:

# ip link set <interface name> netns <netns name>

If you run ip link list afterwards such an interface won´t be seen as it is only available in the configured netns.

So to actually list the interface in a specific netns it´s required to be able to run commands in a specific netns. This can be done with the ip netns exec command. So to get a list of interfaces defined in a specific netns use:

# ip netns exec <netns name> ip link list

If only one physical interface is available, or if you don´t want to assign physical interfaces to the netns for other reasons, it´s possible to create virtual Ethernet interface pairs (veth, provided via CONFIG_VETH). These are like a bi-directional pipe (i.e. what´s written to one end comes out the other and vice-versa) of which one end is placed inside the netns and the other stays outside in the "default" or "global" namespace.

To create such a pair use:

# ip link add <interface name 1> type veth peer name <interface name 2>

This creates two connected Enthernet interfaces with the given names. One is assigned to a netns (via ip link) the other is not (it doesn´t matter which one and it´s also possible to assign both interfaces to two different netns to connect them). How the outer interface is used depends on the use case, it may be put inside a bridge, or used in routing rules to route traffic to and from a netns.

Since interfaces assigned to a netns are disabled they have to be enabled first, and they will probably also require an IP address, which can be done with:

# ip netns exec <netns name> ip addr add x.x.x.x/x dev <iface name>
# ip netns exec <netns name> ip link set dev <iface name> up

Similar to these commands routes or firewall rules may be added by running ip route or iptables inside a specific netns via ip netns exec <command>.

Running a single instance of strongSwan inside a netns is straight-forward. Simply run ipsec commands via ip netns exec ipsec <command>.
But more interesting is probably running multiple instances of strongSwan in separate namespaces. Because all netns share the same file system this is a bit tricky.
Luckily, the ip netns exec command provides a helpful feature: Every file found in /etc/netns/<name>/ for a given netns is bind mounted over its corresponding counterpart in /etc (so it has to exist there). This can be used to provide different config files for each instance, but may also be used to redirect the so called piddir, where the charon and starter daemons create their PID files and UNIX sockets (the default is to use /var/run, which would conflict if multiple instances would use it).
To do so make sure strongSwan is configured with --sysconfdir=/etc and e.g. --with-piddir=/etc/ipsec.d/run. Then after building and installing strongSwan the piddirs can be created as follows:

# mkdir -p /etc/ipsec.d/run
# mkdir -p /etc/netns/<netns name 1>/ipsec.d/run
# mkdir -p /etc/netns/<netns name 2>/ipsec.d/run
https://wiki.strongswan.org/projects/strongswan/wiki/Netns

OKStrongSwan is an OpenSource IPsec-based VPN Solution for Linux * runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels * implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols * Fully tested support of IPv6 IPsec tunnel and transport connections * Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules * Strong 128/192/256 bit AES or Camellia encryption, 3DES support * NAT-Traversal via UDP encapsulation and port floating (RFC 3947) * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels * Static virtual IPs and IKEv1 ModeConfig pull and push modes * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys * Generation of a default self-signed certificate during first strongSwan startup * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) * Powerful IPsec policies based on wildcards or intermediate CAs * Group policies based on X.509 attribute certificates (RFC 3281) * Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries * Smooth Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons.
https://fr2.rpmfind.net

Block network access of a process, unix.stackexchange.com
It is possible to block the (outgoing) network access of a single process in different ways: by unshare / nsenter, ip-netns, iptables, apparmor and firejail.
https://unix.stackexchange.com/questions/68956/block-network-access-of-a-process

OKNotice: We use right above mentioned command "unshare" for starting firejail (for sandboxing firefox (including for example libtrace.so of different file-sizes the versions) by the command "unshare firejail..." etc)., psad (/etc/init.d/psad: prog="unshare psad"), uuidd (/etc/init.d/uuidd with prog="unshare uuidd" and "daemon.... unshare DOLLARSIGNDAEMON" within the start-function, apparmor-dbus out of /etc/rc.local, messagebus (/etc/init.d/messagebus with processname="unshare dbus-daemon", dbus), gpm (/etc/init.d/gpm with "daemon "unshare /usr/sbin/gpm" -m ... ), cups (/etc/init.d/cups with "daemon "unshare cups" ...), dm (again in /etc/init.d/dm), X (X11, ServerCmd=/usr/bin/unshare /usr/bin/X within (resp., to be more concrete, follow the linking of) /usr/share/config/kdm/kdmrc: enhance the command for execution of X with unshare: "ServerCmd=/usr/bin/unshare /usr/bin/X"), kdm (/usr/share/config/kdm/kdmrc with "Preloader=/usr/bin/unshare /usr/bin/preloadkde", haldaemon (/etc/init.d/haldaemon), udevd (in /sbin/start_udev with "else /usr/bin/unshare /sbin/udevd -d ..."), polkitd (/etc/xdg/polkit-gnome-authentification-agent-1.desktop: "exec=unshare /usr/libexec/polkit-gnome-authentication-agent-1" and /etc/xdg-polkit-kde-authentification-agent-1.desktop: "exec=unshare /usr/libexec/polkit-kde-authentification-agent-1 ), konsole and xterm, dolphin, drakconf.real resp. drakconf (MCC), network-ready-games like gl-117, trackballs, extremetuxracer, marsshooter, freedroidrpg, orbital, xonotic etc. in future (do them all just to be careful)! Some kernel-modules like for usblp for USB-printer by unshare (for example in /etc/rc.loca): unshare COMMA-ABOVE-FOR-EXECUTIONmodprobe usblpCOMMA-ABOVE-FOR-EXECUTION, graphic-card (just experimentel): unshare COMMA-ABOVE-FOR-EXECUTIONi915COMMA-ABOVE-FOR-EXECUTION, mainboard (just experimentel!): unshare COMMA-ABOVE-FOR-EXECUTIONlpc_ichCOMMA-ABOVE-FOR-EXECUTION, (less experimentel): unshare COMMA...modprobe videoCOMMA..., but still NOT functioning are those "unshared" ones for internal kernel-processs like kernel-daemon netns (/etc/rc.local): "unshare --net --mount -p pidof netns", oom_reaper (/etc/rc.local): "unshare --net --mount -p pidof oom_reaper", migration/0 (/etc/rc.local): "unshare --net --mount -p pidof migration/0". Also try firejail for a sandboxed network namespace by option net, netfilter, join-network=name|pid and netns, see man firejai, section join-network for good examples also doing fine with Linfw3 (through iptables-restore and iptables-save) or try slirp4netns (OpenSuSE 15.2).

Gooken does not want to say something wrong, but especially hardening the root- and suid-processes by unshare makes the computer secure (as quit all remaining riscs do depend from kernel-processes now) and, as we, believe it or not, really meant having recognized, very mouseclick-fast too!

OKwatchdogd: How can I disable a watchdog, once it has been enabled?
Normally to shut down the watchdog driver you have to write a ´V´ character to /dev/watchdog which you could do from a root bash prompt just with:

echo ´V´ > /dev/watchdog

However, before you try to create your own watchdog driver take a look at the existing Linux watchdog daemon to see, if it can do the job. A good start is my page here: http://www.sat.dundee.ac.uk/~psc/watchdog/Linux-Watchdog.html
https://unix.stackexchange.com/questions/144588/how-can-i-disable-a-watchdog-once-it-has-been-enabled OKIncrease kernel integrity with disabled Linux kernel modules loading
Increasing Linux kernel integrity
Disable loading kernel module on Linux systems
, linux-audit.com
The Linux kernel can be configured to disallow loading new kernel modules. This feature is especially useful for high secure systems, or if you care about securing your system to the fullest. In this article, we will have a look at the configuration of this option. At the same time allowing legitimate kernel modules to be loaded.
Disable kernel modules
Newer kernel modules have a sysctl variable named kernel.modules_disabled.
Sysctl is the tool which allows you to see and change kernel settings of a running system. The related /etc/sysctl.conf file is used to ensure that your settings are also used at the next boot of the system.
The sysctl key kernel.modules_disabled is very straightforward. If it contains a "1" it will disable loading new modules, where a"0" will still allow loading them.
Using this option will be a great protection against loading malicious kernel modules. For example, it may help to counter rootkits. Needless to say, but when someone was already been able to gain root access, you have a serious problem. Still, setting this security measure can be useful to achieve maximum hardening of your Linux system. An altered script or program has no chance of loading things you didn’t specifically approve.
[...] By default, the sysctl key is set to"0", which means new modules can be loaded. This is a safe default for systems but also allows malicious modules to be loaded.

# sysctl -a | grep modules
kernel.modules_disabled = 0

Now we disable loading new modules, by using the sysctl key and set it to"1". There are two ways of doing it, using sysctl directly or echo the value to a file on the pseudo file system /proc, which holds the kernel settings.

# echo 1 > /proc/sys/kernel/modules_disabled

Protection against re-enabling
You might think that loading a kernel module is as simple as re-enabling the option and then still load your kernel module. The kernel has a built-in protection, to avoid this from happening. Trying to set the value back to"0" will result in an"invalid argument" message.
Sysctl showing invalid argument when trying to set value
As can be seen, sysctl will say the value is set to"0". However, the value isn’t applied, as this key is read-only. Slightly confusing, and therefore always good to check the value again.

# sysctl kernel.modules_disabled
kernel.modules_disabled = 1

As expected, the value is still set to"1".
Disable module loading after boot time

By configuring the /etc/sysctl.conf file we can disallow the loading of kernel modules at boot time. Simply add the related line, with the value"1" as shown in the example. Caveat: Things might break
Depending on your environment, you might be careful with using this option. It may be working very well on servers, but not on desktop systems. The reason is the type of usage is different, especially when it comes with loading new kernel modules. For example inserting a USB drive, mouse or network functionality might break. So before deploying the option, make sure you test these common use cases.
Hybrid option
Instead of enabling the option directly via /etc/sysctl.conf, it might be better to activate this setting after booting and loading required modules.
Your startup script could be looking like

#!/bin/sh/ # code by Gooken
sleep 45 # original text: 300; decrease this time, if usb and all modules are working fine, if not, test checkout lsmod and increase it
# insmod <module>
# insmod <module>
modprobe usb_storage
modprobe vfat
modprobe fat
modprobe nls_iso8859_1
modprobe nls_cp437
modprobe cryto_simd
modprobe glue_helper
modprobe dax
modprobe uinput
modprobe ahci
modprobe libahci
modprobe ecb
modprobe af_alg
modprobe algif_skcipher
modprobe lrw
modprobe gf182mul
modprobe cbc
modprobe aes_x86_64 # for USB, that might be LUKS-encrypted
modprobe twofish_common
modprobe twofish_x86_64_3way
modprobe twofish_x86_64
modprobe twofish_generic
echo 1 > /proc/sys/kernel/modules_disabled


Usually to get iptables working, these are the related modules: iptables, x_tables, iptable_filter.
Depending on your Linux distribution, the startup should be loaded as late as possible. If you have /etc/rc.local available, that is usually a safe bet.
Do you use this option already? Or found some other caveats? Like to hear your feedback in the comments.
https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/

In other words: write the small routine from above into a runlevel-init-script (for example this of /etc/init.d/linfw3 renamed to /etc/init.d/modules-disabled) right into the start function, where it is executed by the command start & (and not just the command "start") in the background. Before this is done, remove all code not needed anymore from this script. Now the script itself is executed not as usual by chkconfig, ntsysv7, the MCC (drakconf) or systemd, but only out of /etc/rc.local by the command "sh /etc/init.d/modules-disabled start".

OKkernel.printk.* in /etc/sysctl.conf
kernel.printk =0 6 7 0 # The four values in printk denote: console_loglevel, default_message_loglevel, minimum_console_loglevel and default_console_loglevel respectively.
0=emerg, 1=alert, 2=crit, ...
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
https://unix.stackexchange.com/questions/13019/description-of-kernel-printk-values

OKRegelmäßig Logs analysieren
Speichere logs in vorgesehene Log-Server. Damit wird verhindert, dass Eindringlinge auf einfache Art Modifikationen an Log-Dateien vornehmen. Hier noch einmal namentlich die in Linux üblichen Log-Dateien und ihre Verwendung:

/var/log/message - Hier protokolliert mehr oder weniger das gesamte System
/var/log/auth.log - Authentifizierung
/var/log/kern.log - Kernel-Logs.
/var/log/cron.log - Crond-Logs (cron job).
/var/log/maillog - Mailserver-Logs
/var/log/boot.log - System-boot-Log
/var/log/mysqld.log - Logdatei des MySQL-Datenbankservers
/var/log/secure - Authentifizierung
/var/log/utmp oder /var/log/wtmp : Protokolliert die records-Dateien
/var/log/yum.log: Yum-Logdatei
https://www.tecmint.com/linux-server-hardening-security-tips/

OKPrevent too informative system information in logfiles
The system-log-level reach from debug over info, warning up to emerg. A detailed protocolling is something to think about, they can be read out by users as much as processes. For outputs of dmesg log-level "warning" might restrict delivered protocol-information:

/etc/init.d/rklogd
RKLOGD_OPTIONS="-c 4"

OKUsing and customizing logcheck
The logcheck package in Debian is divided into the three packages logcheck (the main program), logcheck-database (a database of regular expressions for the program) and logtail (prints loglines that have not yet been read). The Debian default (in /etc/cron.d/logcheck) is that logcheck is run every hour and after reboots.
This tool can be quite useful if properly customized to alert the administrator of unusual system events. Logcheck can be fully customized so that it sends mails based on events found in the logs and worthy of attention. The default installation includes profiles for ignored events and policy violations for three different setups (workstation, server and paranoid). The Debian package includes a configuration file /etc/logcheck/logcheck.conf, sourced by the program, that defines which user the checks are sent to. It also provides a way for packages that provide services to implement new policies in the directories: /etc/logcheck/cracking.d/_packagename_, /etc/logcheck/violations.d/_packagename_, /etc/logcheck/violations.ignore.d/_packagename_, /etc/logcheck/ignore.d.paranoid/_packagename_, /etc/logcheck/ignore.d.server/_packagename_, and /etc/logcheck/ignore.d.workstation/_packagename_. However, not many packages currently do so. If you have a policy that can be useful for other users, please send it as a bug report for the appropriate package (as a wishlist bug). For more information read /usr/share/doc/logcheck/README.Debian.
The best way to configure logcheck is to edit its main configuration file /etc/logcheck/logcheck.conf after installation. Change the default user (root) to whom reports should be mailed. You should set the reportlevel in there, too. logcheck-database has three report levels of increasing verbosity: workstation, server, paranoid. "server" being the default level, paranoid is only recommended for high-security machines running as few services as possible and workstation for relatively sheltered, non-critical machines. If you wish to add new log files just add them to /etc/logcheck/logcheck.logfiles. It is tuned for default syslog install.
Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see regex(7) and egrep(1)) that correspond to these messages to the /etc/logcheck/ignore.d.reportlevel/local. Try to match the whole logline. Details on howto write rules are explained in /usr/share/doc/logcheck-database/README.logcheck-database.gz. It´s an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if logcheck does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky).

OKConfigure, where alerts are sent
Debian comes with a standard syslog configuration (in /etc/syslog.conf) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the syslog.conf file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed.
For example, sending messages to the console also is an interesting setup useful for many production-level systems. But for many such systems it is also important to add a new machine that will serve as loghost (i.e. it receives logs from all other systems).
Root´s mail should be considered also, many security controls (like snort) send alerts to root´s mailbox. This mailbox usually points to the first user created in the system (check /etc/aliases). Take care to send root´s mail to some place where it will be read (either locally or remotely).
There are other role accounts and aliases on your system. On a small system, it´s probably simplest to make sure that all such aliases point to the root account, and that mail to root is forwarded to the system administrator´s personal mailbox.

OKFirefox: Copy the secure libssl*, libnss* and libnspr4* of tor-Browser (ESR) or out of an actual Firefox like 63 to Firefox (ESR, same version as tor-browser) into /usr/lib64/firefox/ followed by chown root:root and chmod 755 upon them.

OKProtecting against ARP-attacks
When you don´t trust the other boxes on your LAN (which should always be the case, because it´s the safest attitude) you should protect yourself from the various existing ARP attacks.
As you know the ARP protocol is used to link IP addresses to MAC addresses (see RFC826 for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then, if the IP isn´t present, in the cache by broadcasting an ARP query) to find the target´s hardware address. All the ARP attacks aim to fool your box into thinking, that box B´s IP address is associated to the intruder´s box´s MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder´s box...
Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or arpoison.
However, there is always a solution:

Use a static ARP cache. You can set up "static" entries in your ARP cache with:

arp -s host_name hdwr_addr

By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don´t expire and can´t be modified) and spoofed ARP replies will be ignored. Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, prelude...).
Implement IP traffic filtering validating the MAC address.

OKSecure up services running on your system
SSH, Squid, FTP, X-Window-System, Display-Manager, Druckerzugriff, Mail-Dienst, BIND, Apache, Finger, chroot- and suid-paranoia, Cleartext-passwort-paranoia, deactivating NIS, deactivating RPC-services:
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html

OKPackage signing
https://www.debian.org/doc/manuals/securing-debian-howto/ch7.de.html

OKRemote vulnerability assessment tools
The tools provided by Debian to perform remote vulnerability assessment are:

nessus, raccess, nikto (whisker´s replacement)

By far, the most complete and up-to-date tools is nessus which is composed of a client (nessus) used as a GUI and a server (nessusd) which launches the programmed attacks. Nessus includes remote vulnerabilities for quite a number of systems including network appliances, ftp servers, www servers, etc. The latest security plugins are able even to parse a web site and try to discover which interactive pages are available which could be attacked. There are also Java and Win32 clients (not included in Debian) which can be used to contact the management server.

OKNetwork scanner tools
Debian does provide some tools used for remote scanning of hosts (but not vulnerability assessment). These tools are, in some cases, used by vulnerability assessment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides:

nmap, xprobe, p0f, knocker, isic, hping2, icmpush, nbtscan (for SMB /NetBIOS audits), fragrouter, strobe (in the netdiag package), irpas

While xprobe provide only remote operating system detection (using TCP/IP fingerprinting, nmap and knocker do both operating system detection and port scanning of the remote hosts. On the other hand, hping2 and icmpush can be used for remote ICMP attack techniques.
Designed specifically for SMB networks, nbtscan can be used to scan IP networks and retrieve name information from SMB-enabled servers, including: usernames, network names, MAC addresses...
On the other hand, fragrouter can be used to test network intrusion detection systems and see if the NIDS can be eluded by fragmentation attacks.

OKVirtual Private Networks
A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network´s topology.
Debian provides quite a few packages to set up encrypted virtual private networks:

vtun, tunnelv (non-US section), cipe-source, cipe-common, tinc, secvpn, pptpd, openvpn, openswan (http://www.openswan.org/)

The OpenSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.
For more information see the VPN-Masquerade HOWTO (covers IPsec and PPTP), VPN HOWTO (covers PPP over SSH), Cipe mini-HOWTO, and PPP and SSH mini-HOWTO.
Also worth checking out is Yavipin, but no Debian packages seem to be available yet.

OKReaction in the case of user-idle-state, https://wiki.centos.org/HowTos/OS_Protection
Now that we´ve restricted the login options for the server, lets kick off all the idle folks. To do this, we´re going to use a bash variable in /etc/profile. There are some reasonably trivial ways around this of course, but it´s all about layering the security.

echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh

OKRestrictions for cron and at, https://wiki.centos.org/HowTos/OS_Protection
In some cases, administrators may want the root user or other trusted users to be able to run cronjobs or timed scripts with at. In order to lock these down, you will need to create a cron.deny and at.deny file inside /etc with the names of all blocked users. An easy way to do this is to parse /etc/passwd. The script below will do this for you.

echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: ´{print DOLLARSIGN1}´ /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: ´{print DOLLARSIGN1}´ /etc/passwd | grep -v root > /etc/at.deny

OKLockdown Cronjobs
Cron has it´s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ´ALL´ line to cron.deny file.

# echo ALL >>/etc/cron.deny
Cron Scheduling Examples in Linux: https://www.tecmint.com/11-cron-scheduling-task-examples-in-linux/
https://www.tecmint.com/linux-server-hardening-security-tips/

OKSysctl Security, https://wiki.centos.org/HowTos/OS_Protection
Next we need to have a look inside /etc/sysctl.conf and make some basic changes. If these lines exist, modify them to match below. If they don´t exist, simply add them in. If you have multiple network interfaces on the server, some of these may cause issues. Test these before you put them into production. If you want to know more about any of these options, install the kernel-doc package, and look in Documentation/networking/ip-sysctl.txt

# Kernel sysctl configuration file
# /etc/sysctl.conf
# test with sysctl -p /etc/sysctl.conf
# additionally from http://joshrendek.com/2013/01/securing-ubuntu/ resp. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf # Turn on execshild
# kernel.exec-shield = 1
# Controls the System Request debugging functionality of the kernel kernel.sysrq =0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 0 kernel.dmesg_restrict = 1
kernel.randomize_va_space = 1
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
kernel.printk =4
kernel.shmall =-1
kernel.shmmax =134217728
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
vm.overcommit_memory=2 # mouseclick-fast
vm.overcommit_ratio=150 # 4 GB RAM + 2 GB SWAP, mouseclick-fast
# or: vm.overcommit_kbytes=
vm.page-cluster =3
vm.oom_dump_tasks =0
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.eth0.disable_ipv6=1
# Tune IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 0
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
# net.core.default_qdisc=sch_fq_codel
net.ipv4.tcp_congestion_control=cubic
# BBR # net.core.default_qdisc=fq # net.ipv4.tcp_congestion_control=bbr # If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0



#
# BBR - Netwerkturbo für Linux
# Die neue Flusskontrolle erscheint aber auch ideal für Server im lokalen Netzwerk, die hin und wieder die Netzwerkbandbreite voll ausschöpfen sollen, etwa bei der Übertragung großer Dateien bei NAS-Geräten, Nextcloud- oder # Streamingservern.
# https://www.pcwelt.de/ratgeber/BBR-Netzwerkturbo-fuer-Linux-im-Ueberblick-10612165.html # net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max =212992
net.core.wmem_max =212992
net.core.netdev_max_backlog = 5000
#
kernel.sysrq = 0
kernel.core_uses_pid = 1
fs.file-max=65535
kernel.pid_max=65536
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 134217728
kernel.shmall = 4294967296
kernel.randomize_va_space = 2
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_timestamps=0
net.ipv4.conf.all.log_martians=1# sysctl.conf(5) for more details.
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0

kernel.dmesg_restrict = 1
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1

# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward =0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog =512
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_syncookies = 1

net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.default.router_solicitations=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.dad_transmits=0
net.ipv6.conf.default.max_addresses=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.core.rmem_default =212992
net.core.wmem_default =212992
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
vm.overcommit_memory =2
vm.overcommit_ratio=150 # 4 GB RAM + 2 GB SWAP, mausklick-schnell
# or: vm.overcommit_kbytes=
vm.page-cluster =3
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
kernel.printk =4
kernel.shmall =-1
kernel.shmmax =134217728
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
net.ipv4.conf.all.rp_filter=1

OKGooken´s excellent DNS-security-concept, details from much further below: "DNS-surf-mask" local (etc/hosts/) for fundamental domain-IP including some blocks, followed by pdnsd (the local DNS-proxy/DNS-server with adjustable long-time storage) and finally tordns (the anonymizing DNS-Server of Tor (the Onion Router), tor-resolve)

OKDeactivate IPv6, https://help.ubuntu.com/community/StricterDefaults
IPv6 is part of a Linux-kernel since 2.6.28. Such addresses do never change. If IPv6 is configured wrong, it can cause troubles within a network and for DNS-queries.
IPv6 is enabled on Ubuntu by default. Most firewalls (like LINFW3) only apply to IPv4, and completely ignore IPv6. If you don´t use IPv6 at all, you can prevent it loading at boot time by changing alias net-pf-10 ipv6 to alias net-pf-10 off in /etc/modprobe.d/aliases resp. /etc/modprobe.conf and scheduling a reboot.

RedHat Enterprise Linux / CentOS / Fedora Core:
/etc/modprobe.conf, change line:

alias net-pf-10 ipv6
into:
alias net-pf-10 off
alias ipv6 off

and restart the computer.

RedHat Enterprise Linux / CentOS / Fedora Core / Mandriva:
Add the following entry to /etc/sysconfig/network:

NETWORKING_IPV6="no"

... and restart the system.

OKktune: Kernel-Tuning resp. by boot-options ( /etc/init.d/ktune, if not already done in /boot/grub/menu.lst)), so make it mouseclick-fast
/etc/sysctl.d/*
nano /etc/sysctl.d/01-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1

nano /etc/sysctl.d/10-ptrace.conf
kernel.yama.ptrace.scope=3

nano /etc/sysctl.d/50-kptr-restrict.conf
kernel.kptr_restrict=1

nano /etc/sysctl.d/armci.conf
# Controls the maximum shared segment size, in bytes, siehe auch /etc/sysctl.conf
kernel.shmmax = 134217728

nano /etc/sysctl.d/libvirtd
The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576

Start ktune
sh /etc/init.d/ktune start

OKDeactivate IPv6
This article describes, howto deactivate the IPv6 support for Linux and Windows. Dies kann aus Sicherheitsgründen sinnvoll sein, solange man IPv6 noch nicht produktiv einsetzt. Damit kann verhindert werden, dass man eine IPv6 Adresse erhält, sobald ein IPv6 Router Advertisement Daemon in einem Netz verfügbar ist. Außerdem sind bestehende Firewall Rules oft nicht für IPv6 gültig. In diesem Fall hätte man dann unter Umständen Dienste per IPv6 zugänglich die man eigentlich mit einer IPv4 Regel unterbunden hat. Unter Linux gibt es das eigene Kommando "ip6tables" zur Verwaltung der IPv6 Firewall Rules.
1 Ubuntu
2 RHEL / CentOS
Ubuntu
In Ubuntu 10.04, 12.04, 14.04 und 16.04 ist IPv6 direkt in den Kernel kompiliert und wird nicht als Modul geladen. Die einfachste Methode um IPv6 zu deaktivieren ist den passenden sysctl Parameter zu setzen. Temporär kann dies mit folgendem Kommando erfolgen:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Um diese Einstellung dauerhaft vorzunehmen bietet es sich an auf die sysctl Funktionalitäten zurückzugreifen. Dafür einfach eine Datei namens /etc/sysctl.d/01-disable-ipv6.conf anlegen mit folgendem Inhalt:

net.ipv6.conf.all.disable_ipv6 = 1

Nach dem nächsten Reboot ist IPv6 dann deaktiviert.

Am besten kann dies mit dem Kommando "ip addr show" überprüft werden. Es darf dann keine Einträge mit dem Text "inet6" mehr geben.

ip addr show | grep inet6

RHEL / CentOS

Unter RHEL 6 / CentOS 6 (with many patches/updates by Jonny Hughes, NY, kann die Deaktivierung von IPv6 ident wie unter Ubuntu via sysctl erfolgen (siehe oben).

In RHEL 4 / CentOS 4 ist IPv6 als Modul integriert. Um dieses zu deaktiveren einfach folgende Zeile in der Datei /etc/modprobe.conf hinzufügen:

install ipv6 /bin/true

Die Überprüfung, ob es geklappt hat, kann mit dem Kommando "ip addr show | grep inet6" oder alternativ mit dem Kommando

lsmod | grep -i ipv6

OKTCP Wrapper, https://wiki.centos.org/HowTos/OS_Protection
Next we need to have a look inside /etc/sysctl.conf and make some basic changes. The TCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap. A restrictive example is below. This example blocks everything but ssh:

echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow

OKTurn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.
SELinux provides three basic modes of operation and they are.
Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
You can view current status of SELinux mode from the command line using ´system-config-selinux´, ´getenforce´ or ´sestatus´ commands.
# sestatus
If it is disabled, enable SELinux using the following command.

setenforce enforcing

It also can be managed from ´/etc/selinux/config´ file, where you can enable or disable it.
https://www.tecmint.com/linux-server-hardening-security-tips/. Bootparameter in /boot/grub/menu:lst: "selinux=1"

AppArmor or SELinux?, forum.ubuntuusers.de
Why does Ubuntu not use SELinux, ... I see it so too.... I have no trust anymore. . Tom-L. Beiträge form year 2007 ( five years before Snowden´s publications...): 1181.
@glasen
Many thanks, I am going to reed it having time next morning..
@timmy11
Soso, NSA aso. Hmm, I would for myself wouldn´t bother about ... I mean, ok, of it would be our government Bundesregierung... Bundes-trojan :lol:
No, but to be serious: Security against third parties may be higher, if institutes like NSA are involved, but I feel the shabby smell with it too.

timmy11
Maybe someone can convince us from the opposite.
For me America means (... the governmental organizations): I like everything to know and to snoop upon.
Murdoc
Avatar von Murdoc
I also see this....I simple do not have any trust anymore:(

Tom L.: I mean having read, that SELinux is an official part of the kernel. Therefore I believe, that Kernel developer ( and more than only the same one) has studied the source code carefully.

glasen: Sorry, but I can not stand your paranoia.
Obviously NSA become a member to develope SELinux, but as Linux is open-source free software, it is impossible for NSA to keep any backdoors secretly open.
If there were one line code, that could not stand Peer-Review, SELinux would never be a part of the kernel-sources!

Murdoc: I believe this too, but they have studied everything, but there are also kernel-exploits :-/

If secret services would do this, intergrating backdoors within the kernel ..., then certainly not by a project like SELinux, but through other parts of the kernel.
comm_a_nder: Hey, boys, think about it.

Mosurft: Generally I do not feel well connecting SELinux made by NSA, even for - I do believe - noone can study and analyze each part of the source-code. Anyoune does always not notice anything, otherwise there would be no lacks in security and even a secret service has got the most interest in getting and checking a PC with the click on the buttom, in order to check out PCs...
I´d like to know, who runs SELinux on a computer with Ubuntu and how it functions! And if someone does not like SELinux, what about Grsecurity? Did anyone check it out?
Greetings, Mo.

comm_a_nder: If i said it in the wrong way and you feel attacked in person, it makes me sorry.
Back to the theme: Especially the parts of software added by NSA, have been checked out well. But as I told you, there were surely much more effective ways for the boys from "Crypto City" to migrate code into kernel-source.

Murdoc. As we are going on paranoidal, I ask for the BIOS.
Now, as ASUS offers a Minimal Linux to browse, the question is posed, what the BIOS is all enabled to do?

Mosurft: If I do not trust the BIOS, then I better do not use any computer...! ;) ...
https://forum.ubuntuusers.de/topic/apparmor-oder-selinux

Introduced mainboard ITX-220 comes with in- and deactivable BIOS-LAN-Chip and Coretemp for the regulation of the temperature... Next point: SELinux. As our excurs shows, it is suspicously not needed. So we´d prefer to deactivate it right within the boot-paramters.

OKReview Logs Regularly
Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:

/var/log/message - Where whole system logs or current activity logs are available.
/var/log/auth.log - Authentication logs.
/var/log/kern.log - Kernel logs.
/var/log/cron.log - Crond logs (cron job).
/var/log/maillog - Mail server logs.
/var/log/boot.log - System boot log.
/var/log/mysqld.log - MySQL database server log file.
/var/log/secure - Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.
https://www.tecmint.com/linux-server-hardening-security-tips/

OKShared Memory (shm und tmpfs, siehe unsere /etc/fstab im noch Folgenden), https://help.ubuntu.com/community/StricterDefaults
By default, /run/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /run/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /run/shm read/write. To change this setting, edit the /etc/fstab file to include the following line:

none /run/shm tmpfs defaults,ro 0 0

resp. http://joshrendek.com/2013/01/securing-ubuntu/ :

A common exploit vector is going through shared memory (which can let you change the UID of running programs and other malicious actions). It can also be used as a place to drop files once an initial breakin has been made. An example of one such exploit is available here.
Open /etc/fstab/:

tmpfs /dev/shm tmpfs defaults,ro 0 0

This will mount /run/shm in read-only mode. Note: MANY programs will not work if you make /run/shm read-only (e.g. Google Chrome).If you have a good reason to keep it writable, put this line in /etc/fstab instead:

none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0

This will mount /run/shm writable, but without permission to execute programs, without permission to change the UID of running programs, or to create block or character devices in the namespace.

The changes will take effect the next time you reboot, unless you remount /run/shm with the command sudo mount -o remount /run/shm.

OKSSH Settings, https://help.ubuntu.com/community/StricterDefaults
While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain sshd settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the /etc/ssh/sshd_config file. Lines with a pound sign (#) are commented and not read. To edit this file from a terminal:

sudoedit /etc/ssh/sshd_config

For a Gnome editor, press Alt+F2 and use:

gksudo gedit /etc/ssh/sshd_config

For a KDE editor, press Alt+F2 and use:

kdesu kate /etc/ssh/sshd_config

Please remember, after making any changes, sshd must be restarted, which can be done from the terminal with this command:

service ssh restart (CentOS: sh /etc/init.d/sshd restart)
..., https://help.ubuntu.com/community/StricterDefaults .

OKConfiguring bastille, http://joshrendek.com/2013/01/securing-ubuntu/
The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system´s current state of hardening, granularly reporting on each of the security settings with which it works.

File permissions module: Yes (suid)
Disable SUID for mount/umount: Yes
Disable SUID on ping: Yes
Disable clear-text r-protocols that use IP-based authentication? Yes Enforce password aging? No (situation dependent, I have no users accessing my machines except me, and I only allow ssh keys)
Default umask: Yes
Umask: 077
Disable root login on tty 1-6: Yes
Password protect GRUB prompt: No (situation dependent, I´m on a VPS and would like to get support in case I need it)
Password protect su mode: Yes
default-deny on tcp-wrappers and xinetd? No
Ensure telnet doesn´t run? Yes
Ensure FTP does not run? Yes
display authorized use message? No (situation dependent, if you had other users, Yes)
Put limits on system resource usage? Yes
Restrict console access to group of users? Yes (then choose root)
Add additional logging? Yes
Setup remote logging, if you have a remote log host, I don´t so I answered No
Setup process accounting? Yes
Disable acpid? Yes
Deactivate nfs + samba? Yes (situation dependent)
Stop sendmail from running in daemon mode? No (I have this firewalled off, so I´m not concerned)
Deactivate apache? Yes
Disable printing? Yes
TMPDIR/TMP scripts? No (if a multi-user system, yes)
Packet filtering script? Yes
Finished? YES! & reboot


OKLink the dns resolver nslookup to the anonymizing tor-resolve
We are going to write about Tor (The Onion Router) at the end of our excurs. If you already use Tor, secure up your system by linking nslookup with the DNS-anonymizing resolver tor-resolve:
make a copy of nslookup: cp -f /usr/bin/nslookup /usr/bin/nslookup-save
links nslookup with tor-resolve: ln -sf /usr/bin/tor-resolve /usr/bin/nslookup.
You can do the same for dns-resolving host and dig too.
Notice, that the output of those programs is not the same (but in all cases they do contain the IP for the domain requested).
For programs that do not work past this linking, enter the ip-domain-pairs in /etc/hosts and adjust /etc/nsswitch.conf. Read more about /etc/hosts at the end of our excurs.
At last, think about setting ACL-rights upon these files, see our section for setfacl.

OKFor our "Universal-Linux" (backported sytem) an actual kernel and actual kernel-firmware can be downloaded from PCLinuxOS, a backport of Fedora Core, ROSA, Mageia and Mandriva, http://ftp.pbone.net/mirror/www.pclinuxos.com/pclinuxos/apt/pclinuxos/64bit/RPMS.x86_64/ or https://ftp.nluug.nl/ftp/pub/os/Linux/distr/pclinuxos/pclinuxos/ or https://linux.palemoon.org and other URL. We strongly recommend LONGTERMED kernel-4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)), glibc (el8, pclos) and kernel-firmware (pclos) and kernel-firmware-extra (pclos) and Konqueror (el6) with the intergrated adbocker resp. actual Firefox (ESR, the backported company edition) from http://ftp.scientificlinux.org/linux/scientific/6.9/x86_64/updates/security/ or http://mirror.centos.org/centos/6/updates/x86_64/Packages/ with extensions named on this webside in the following.

After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".

OKDeinstallation of programs (also see section "Updating/Updates"): If sudo, rpcbind, portmapper, sshd SSH-Daemon, rsh, telnet, avahi-daemon or cups-browsed daemon of the CUPS-system is not needed for example, it is possible to deactivate or deinstall them: "dpkg ..." , "rpm -e [nodeps]" source: https://wiki.kairaven.de/open/os/linux/tuxsectune

OKQuota
Quota limits the memory consumption for a single user and/or group, so that an "overflow" of a volume resp. partition is prevented. For quota the kernal must be configured. If CONFIG_QFMT_V2 is set as modul, kernel modul quota_v2.ko is added to /etc/modules:

sudo echo quota_v2 >>, /etc/modules

For quota following packages have to be installed:

sudo aptitude install quota quotatool

If there is not any quota upon NFS-mounted file systems resp. RPC-quota-server, the service RPC-Remote-Quota-Server can be deactivated:

sudo systemctl disable quotarpc.service # sh /etc/init.d/quota... stop # and disable

In /etc/fstab the mount-options of the /fs file system are added with the options for the usage of journaling quota:

/etc/fstab

/fs /mountpoint ext4 optionen,usrjquota=aquota.usr/grpjquota=aquota.group,jqfmt=vfsv0|1

Use usrjquota for quota of user and/or grpjquota for groups. Volumes with a size of 4TB use quota-format vfsv1.

Finally restart the system, if the file system can not be mounted by the following command:

sudo mount -o remount /mountpoint

More details and source: https://wiki.kairaven.de/open/os/linux/tuxsectune

OKKernel-configuration
Deactivate as much as possible, that means all modules, that are not needed. The preconfiguration for single user is already set for the everyday life. This might differ from special requirements and development and a backup-kernel should be installed parallely too, if the configuration and the boot fails. BR>
More details and source: https://wiki.kairaven.de/open/os/linux/tuxsectune
We are describing, how to configure and compile the kernel-source in our section for updates.

OKBlocking of modules
https://wiki.kairaven.de/open/os/linux/tuxsectune (resp. by "blacklist modul-name" within /etc/modules.d).

OKDienste mit systemd
Removal and deactivation
Deactive all services, that are not needed. Either deinstall complete packages or, if a deinstallation is not wanted, use systemctl (alternatively: ntsysv, chkconfig or MCC#system-services (mdv2010) for deactivation).

More about security-settings for services by systemd and source: https://wiki.kairaven.de/open/os/linux/tuxsectune .

OKat & cron
Resrict the users, that are enable to create and modify at (batch) and cron jobs, enable them within /etc/at.allow and /etc/cron.allow by entering them with their login-name line-by-line (only for users, that are enabled).

OKHardend compilation
Flags, that can be set for the configure-Script.


Executable

´CFLAGS= -g -O2 -fPIE -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´CPPFLAGS= -D_FORTIFY_SOURCE=2´
´CXXFLAGS= -g -O2 -fPIE -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´LDFLAGS= -fPIE -pie -Wl,-z,relro -Wl,-z,now´

Shared Library

´CFLAGS= -g -O2 -fpic -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´CPPFLAGS= -D_FORTIFY_SOURCE=2´
´CXXFLAGS= -g -O2 -fpic -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´LDFLAGS= -fpic -Wl,-z,relro -Wl,-z,now´

If option "-fpic" does not work, use "-fPIC".

OKEvtl. deinstall ( rpm -e packagename or rpm -e --nodeps packagename )
rpcbind (el6, mdv2010.2), sudo (el6, mdv2010.2), portmap (el6, mdv2010.2), dayplanner, mmc-agent (mdv2010.2), tracker (mdv2010), codeina (mdv2010), xguest (mdv2010), wu-ftpd (mdv2010), anonftp (mdv), mdkonline (mdv2010), f-spot (does not work on the base of updated mono (rosa2014.1), abrt (el6), funguloids (mdv2010.2), banshee (rosa,mdv) and amarok (rosa,mdv): unavailable for el6, both ones do not work, qmmp (el6, mdv) does not work, lxde (mdv2010, lxpanel tries to get inpredictable root-access).

OKStart only the processes needed. Use net_applet from NetworkManager and not nm-applet. There might be an error in the skript for NetworkManager. Replace everything except last line in start() with "/usr/bin/NetworkManager --login-level=INFO".

Commercial modules: Linux and the NSA
tgruene, 16.10.2013
Bei dem letzten Newslink über Oracles Versuch, dem DOD den Vorteil kommerzieller Software zu erkläeren, kam mir der Gedanke, dass auf einem.typischen Linuxrechner eine ganze Reihe Module laufen, fuer die kein Quellcode zur Verfuegung steht (die dafür von US-amerikanischen Firmen zur Verfügung gestellt werden und somit vermutlich auch gesetzestreue (aka NSA-freundliche) Hintertüren enthalten), seien es Nvidia/ATI-Treiber, Virtualbox oder unter Debian vermutlich fast der gesamte Inhalt von firmware-linux-nonfree.
Mich interessiert, wie gut der Kernel und die Module voneinander abgeschottet sind - wie leicht ist es, solch einem Modul z.B. einen Keylogger einzubauen, der meine Passwörter beim Tippen abfängt und übers Internet irgendwohin schickt? Dass die NSA meine Emails liest, ist unverschämt, stört mich aber an sich nicht weiter, sonst würde ich ja keine Emails an Leute schreiben, deren Schlüssel ich nicht kenne, doch meinen GPG-Schlüssel und die Passwörter abzuhören - dagegen habe ich ganz ordentlich etwas.

OKTerminal -> lsmod
/etc/modprobe.d/blacklist*
blacklist mei
blacklist it87 # disabled for Mainboard ASUS ITX-220
blacklist i2c_dev # ITX-220
blacklist coretemp # ITX-220
blacklist snd-usb-audio
blacklist snd_pcm_oss
blacklist snd_mixer_oss
blacklist snd_seq_oss
blacklist pata_acpi
blacklist rivatv
blacklist i82875p_edac
# do not use "Boot Protocol" drivers, we prefer usbhid
# and they cause problems when loaded together with usbhid (#37726, #40861)
blacklist usbkbd
blacklist usbmouse
# disable PC speaker by default
# pcspkr is the standard driver, while snd-pcsp is the ALSA driver
blacklist pcspkr
blacklist snd-pcsp
blacklist pcspkr
blacklist snd-pcsp
blacklist vhost
blacklist vhost_net
blacklist tpm_infineon
blacklist tmp_tis
blacklist tmp_tis_core
blacklist i82875p_edac
blacklist pcspkr
blacklist snd-pcsp
blacklist rivatv
blacklist i82875p_edac
blacklist pcspkr
blacklist it87
blacklist i2c_dev
blacklist coretemp
blacklist vhost_net
blacklist tpm_infineon
blacklist tmp_tis
blacklist tmp_tis_core
blacklist i82875p_edac
blacklist pcspkr
blacklist snd-pcsp
blacklist rivatv
blacklist i82875p_edac
blacklist pcspkr
# watchdog drivers
blacklist i8xx_tco
# framebuffer drivers
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist i810fb
blacklist cirrusfb
blacklist intelfb
blacklist kyrofb
blacklist i2c-matroxfb
blacklist hgafb
blacklist nvidiafb
blacklist rivafb
blacklist savagefb
blacklist sstfb
blacklist neofb
blacklist tridentfb
blacklist tdfxfb
blacklist virgefb
blacklist vga16fb
blacklist matroxfb_base
# ISDN - see bugs 154799, 159068
blacklist hisax
blacklist hisax_fcpcipnp


OKPartition-check during each system boot)
This is described later on, but it might be such important, to tell it alrady at this place.
We assume, that the partitions got already encrypted with LUKS/dm-crypt (we are describing later on, how this can be made, if not). But the check will work upon unencrypted ones too. To be careful, we are going to check out partitions with file systems like ext4 each system boot, especially thinking of all the updating with rpm-packages in future.


tune2fs -c 1 /dev/mapper/cryptedhomepartition


resp.

OK
reiserfstune -m 1 /dev/mapper/cryptedroot_resp_home_resp_bootpartition


resp.

OK
tune2fs -d 7 /dev/mapper/cryptedroot_resp_home_resp_bootpartition


For unencrypted and not internal kernel-partitions replace the container-file "/dev/mapper/cryptedhomepartiton" with a device file like /dev/sda1.

Also activate in the device configuration file /etc/fstab the check each boot. Do this line (partition) by line (partition) more or less regarding "priorities&uot; of the check, by setting a positive interger not equal to zero behind the number (zero) for the (deactivated) dump at the end of the line: "0 1" for the root-partition, "0 1" or "0 2" for the home-partition and so on.
An example of the content of /etc/fstab as a whole is given further below.

OKApache-Webserver (httpd.conf) (analogous: LAN/Samba (samba.conf, database server/MySQL (my.cnf and mysld.conf) and other server, print-server (CUPS) see end of this website )
Now it is the turn for the webserver, almost Apache httpd 1.3 or 2.0. Basic functions are enriched by many loadable modules.
To see, which modules are really needed, have a look into /etc/apache/httpd.conf (CentOS 6 and CentOS 7: /etc/httpd/httpd.conf):

LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so
LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so
LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so

Superfluos modules can be commented in by "#" plus blank at the very beginning of each line. Apache will work faster and will consumpt less memory the less modules are needed..

Only those modules should be loaded, that are really needed. The kind of server determines, which ones. Nevertheless there are modules, a standard webserver does not need:
* lib_status (presents a server-internal status)
* libproxy (an enormous security risk, as the webserver realizes a proxy for the accesses of other server)
* mod_cgi (to start so-called cgi-scripts. Such scripts are rarely used today as they are one more security risk)
* mod_userdir (generates a web-directory for each user)
In Debian, Apache 2.0 uses the file /etc/apache2/apache2.conf for configuration. All modules symbolically linked in /etc/apache2/mods-enabled are loaded by default. To deactivate such modules, the link has to be deleted.
After the config-files were changed,

apache -t

shows, if the configuration-syntax still is OK.

/etc/init.d/apache restart
oder
/etc/init.d/apache2 restart # C6 (el6): sh /etc/init.d/httpd restart

restarts the server, therewith the changes can take into effect.

Notice, that SuSE makes it the other way. Apache-modules are loaded within the file /etc/sysconfig/apache2. Look out in this file for the line with "APACHE_MODULES" and delete the entries not needed. After this,

SuSEconfig
has to be started out of the shell. Restart Apache by
rcapache2 restart

Get more infos about the task for each module, have a look at

http://httpd.apache.org/docs/1.3/mod/index-bytype.html und
http://httpd.apache.org/docs/2.0/mod/
More reports
Apache: Howto stop unwanted referer, https://www.strassenprogrammierer.de/apache-unerwuenschte-referer-stoppen_tipp_441.html
source. https://www.strassenprogrammierer.de/webserver-absichern-hacker_tipp_479.html

OKSecure Apache/PHP/Nginx server
Edit httpd.conf file (CentOS: /etc/httpd/conf/httpd.conf) and add the following:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header always unset X-Powered-By

Restart the httpd/apache2 server on Linux
You must install and enable mod_security on RHEL/CentOS server. It is recommended that you edit php.ini and secure it too.
https://www.cyberciti.biz/tips/linux-security.html

OKDDoS-Schutzdienst:
Der DDoS-Schutzdienst ist in der Lage, selbst die komplexesten DDoS-Angriffe abzuwehren.
https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
https://us.norton.com/internetsecurity-emerging-threats-what-is-a-ddos-attack-30sectech-by-norton.html
https://www.digitalattackmap.com/understanding-ddos/

OKLastverteilung:
Der Lastenausgleich geht häufig mit Ausfallsicherheitsmechanismen einher: Indem Sie einen Cluster mit der entsprechenden Kapazität aufbauen und die Anforderungen auf einzelne Systeme verteilen, können Sie die Ausfallsicherheit erhöhen Ausfallsicherheit, wenn der Ausfall eines Systems erkannt wird und die Anforderungen automatisch an ein anderes System gesendet werden.
https://de.wikipedia.org/wiki/Lastverteilung_(Informatik)
https://www.nginx.com/resources/glossary/load-balancing/

OKHMAC authentication
HMAC stands for keyed-hash message authentication code. A message authentication code protects against the modification of transmitted data by an attacker, who can read the data in real time. TLS use hash values (hence the H in HMAC) out of the numerous possibilities for the reliable authentication of messages.
https://en.wikipedia.org/wiki/HMAC

HMAC Authentication in Web API - Dot Net Tutorials
Understanding the Keys used in HMAC Authentication. Uses of HMAC Authentication in Web API. How does the HMAC Authentication work?
https://dotnettutorials.net/lesson/hmac-authentication-web-api/

What is HMAC authentication and how does it make VPN safer?
HMAC stands for hashed message authentication code and is an important factor in VPN security. Learn why strong HMAC auth matters for VPN security.
https://protonvpn.com/blog/hmac-authentication/

OKStation-to-Station (STS) protocol, Cipher Block Chaining:
CBC stands for Cipher Block Chaining, which is every message depending on the previous passes. So can yourself short interruptions of the channel can be quickly noticed. Diffie-Hellman key exchange:
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange A symmetric encryption scheme is used, the key of which is the negotiation of Diffie-Hellman key exchanges with elliptic curves. The server and the app use intelligent math to negotiate and verify the secret key, which is then used to encrypt the data for the entire session. Station-to-Station (STS) protocol: https://en.wikipedia.org/wiki/Station-to-Station_protocol In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme. The protocol is based on classic Diffie–Hellman, and provides mutual key and entity authentication. Unlike the classic Diffie–Hellman, which is not secure against a man-in-the-middle attack, this protocol assumes that the partieOKs have signature keys, which are used to sign messages, thereby providing security against man-in-the-middle attacks. In addition to protecting the established key from an attacker, the STS protocol uses no timestamps and provides perfect forward secrecy. It also entails two-way explicit key confirmation, making it an authenticated key agreement with key confirmation (AKC) protocol.
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CBC


OKPretty Good Privacy
PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.
https://en.wikipedia.org/wiki/Pretty_Good_Privacy

OKPerfect Forward Secrecy
With Perfect Forward Secrecy, even if a dedicated opponent is somehow able to attack the computer or server during a session, they will not be able to decrypt traffic from past sessions. The provider uses namely with each connection a new secret key. Even if you remain connected to the Server for a long period of time, the provider automatically changes the key every 60 minutes. This key renewal process every 60 minutes guarantees "Forward Secrecy". So if an attacker succeeds in compromising the key, in the worst case scenario, he could track the data for up to 60 minutes. Then everything is secret again.
https://en.wikipedia.org/wiki/Forward_secrecy

OKShadowsocks SOCKS5 proxy (all servers) Shadowsocks Proxy can be used by the provider through the application (Mac OS X, Windows, Linux, iOS, Android, Windows 10 Mobile). In addition, there is an advantage that "shadow socks" can not even be blocked in highly restrictive networks.
https://shadowsocks.org/en/index.html

OKSmart DNS Proxy (all servers)
There are currently two common ways to circumvent geo-blocks of foreign video-on-demand services such as Hulu, Netflix or Vudu. The first way is to use SmartDNS services. The term SmartDNS hides on innovative technology that has been specifically designed to bypass the geo-blocking barrier. To configure the SmartDNS service, there is only a minimal change to the TCP/IP properties of the network connection. Then, the user can freely use many suspended streaming services regardless of their current whereabouts.
http://www.unblock.ch/smart-dns-anbieter/

OKDNS-Leak:
Eigene DNS-Server ohne Festplatten (RAM-Disk). Zusätzlich werden OpenDNS-Server (IPv6) verwendet (Auswahlmöglichkeit in den Einstellungen). Der Dienst schützt zuverlässig vor dem bekannten DNS-Leck.
https://www.hongkiat.com/blog/creating-ram-drives/
https://www.tomshardware.com/news/what-we-know-ddr5-ram,39079.html
https://www.opendns.com/about/innovations/ipv6/

OKIP-Leak:
Eine eigene Software verhindert zuverlässig Angriffe bekannter DNS-Leak-Methoden.

OKWebRTC-Leak:
Der Service schützt zuverlässig vor dem bekannten WebRTC-Leak-Problem.

OKSpeicherschutz-Funktion (Schutz vor Serverausfällen):
Diese Funktion ist in der Lage, den verfügbaren Arbeitsspeicher so aufzuteilen und laufende Programme so voneinander zu trennen, dass ein Programmierfehler oder Absturz eines einzelnen Programms nicht die Stabilität anderer Programme oder des Gesamtsystems beeinträchtigt (Speicherschutz-Mechanismus).
Serverausfall (Schutzmöglichkeiten):
Unterspannungsschutz (UVP)
Überspannungsschutz (OVP)
Kurzschlusssicherung (SCP)
Überlastschutz (OPP)
Überstromschutz (OCP)
Überhitzungsschutz (OTP)
Japanische 105°C Kondensatoren (Lebensdauer vom Netzteil)
Brandmelder (im Serverraum eingebaut)
Diese Schutzfunktionen (Netzteil) können die meisten Serverausfälle verhindern.

OKLogin methods, Two-Factor-Authentification (TOTP)
Two factor authentication can be implemented for SSH access or other application login, it will improve login security by adding a second factor of authentication, that is the password is typically known as something you know, while the second factor may be a physical security token or mobile device which acts as something you have. The combination of something you know and something you have ensures that you are more likely who you say you are.

There are custom applications available for this such as Duo Securityand Google Authenticator as well as many others. These typically involve installing an application on a smart phone and then entering the generated code alongside your username and password when you authenticate.
Google Authenticator can be used for many other applications than just SSH, such as for WordPress login with third party plugin support.
https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/
4096 bit encryption/Eliptic-cuves-cryptography/
Two-Factor-Authentfication/connection (SSL/TLS encryption)/full IPv6
Support/HMAC-Authentifizierung/Cipher Block Chaining/Diffie-Hellman-Schlüsselaustausch/STS-Protokoll (Station-to-Station)/Pretty Good Privacy/Perfect Forward
Secrecy/encryption tool (Cloud Storage/Backup)/Failure Backup-solution/NAT-Firewall/
DDoS-protection/Lastverteilung/DNS-Leak/IP Leak/WebRTC Leak/WebRTC Leak/
Windows Login Leak/Arttifical Intelligence (NeuroRouting™)/Zero-Knowledge-Beweis/
Fiat-Shamir-Protokoll/Schnorr-Identification/SecureCore-function (security kernel)/
4096 bit encryption:
https://www.pcwelt.de/ratgeber/Verschluesselung_-_Was_ist_noch_unknackbar_-Sicherheits-Check-8845011.html
https://www.heise.de/security/artikel/Kryptographie-in-der-IT-Empfehlungen-zu-Verschluesselung-und-Verfahren-3221002.html?seite=all>
https://de.wikipedia.org/wiki/Elliptic_Curve_Cryptography
https://www.heise.de/select/ix/2017/3/1487529933065685
https://www.computerweekly.com/de/definition/Elliptische-Kurven-Kryptografie-Elliptic-Curve-Cryptography-ECC
https://www.globalsign.com/de-de/blog/ecc-101/
https://www.ssl247.de/certificats-ssl/rsa-dsa-ecc
Two-Factor-Authetification(TOTP):
https://de.wikipedia.org/wiki/Zwei-Faktor-Authentisierung
https://www.pcwelt.de/ratgeber/Wichtige_Dienste_per_Zwei-Faktor-Authentifizierung_schuetzen-Sicherheit-8679969.html
https://www.security-insider.de/flexiblere-zwei-faktor-authentifizierung-an-vpns-a-700259/
https://www.security-insider.de/remote-access-vpn-mit-zwei-faktor-authentifizierung-a-389000/
http://www.itseccity.de/produkte-services/it-security/vpn-loesungen/ncp-engineering090315.html
Authenticator-App:
a) FreeOTP Authenticator
b) Authy
c) Microsoft Authenticator
d) LastPass Authenticator
e) Google Authenticator


OKKill hack-attempts against the Secure Shell
In order to prevent hundrets of sshd-tasks starting at the same by a hacking attempt, add the line

MaxStartups 3:30:10

into the configuratio file /etc/ssh/sshd_config. This restriction is effective but complicated. The values in the example mean, that 2 (= 1. value minus 1) unauthenticated (and therefore in the Login-state assembled) sshd-connections are always allowed.
A third connection (= 1. value) is blocked by a probability of 30% (second value).
The probaliity of ending a connection is increasing linear, until up from 10 opened (built-up) connections (third value) each attempt to build up a connection is blocked at all at the rate of 100 in percent.

Notice, that useres already logged in do not refer to these values! The values in the example from above should suffer the need for each small and middle-sized server. If there are plenty of SSH-user, higher values might be recommended, for example:

MaxStartups 10:30:50 6

Source: https://www.strassenprogrammierer.de/sicherheit-ssh-hacker_tipp_480.html

OKForbid root-access for SSH
Change the ssh-configuration:

nano /etc/ssh/sshd_config

and set

PermitRootLogin no

And to make it most secure, we add the following lines:

# Only permit user admin.
AllowUsers admin
# Generally block root or user of group root:
DenyUsers root
DenyGroups root

This lines can be added at the beginning of the file. Enhance the entry AllowUser, if further on more user are permitted for the SSH-login. New user are separated by a blank and not colon,. for example:

AllowUsers admin user1 user2 user3 Now the ssh-daemon gets started:

service ssh restart

Debian:

/etc/init.d/ssh reload

CentOS: sh /etc/init.d/sshd restart

Now we open a new session and try to login as root. By using the correct password, we get the message:
Access denied
Quelle: https://www.rechenkraft.net/wiki/Root_Server_absichern_(Ubuntu_14.04)
https://linux-scout.de/sicherheit/debian-server-absichern-so-machen-sie-es-richtig/

OKSecure Linux Server
From Qloc Wiki
Here you find significant basics to secure a Debian/Ubuntu System. Except the tips listed here there are a lot of security precautions to make attacks more difficult.
Generally for all public systems essential services should only be accessible from the outside. Unused services like webserver or MySQL Server should eiteher be inaccessible with the help of iptables-rules or be deactivated.
Summary

1 Secure keywords (passwords)
2 SSH Port: secure up by change
3 Creating SSH-keys
4 Opening of required ports only
5 Prevention of Brute Force Attacks
6 Installing security updates

https://wiki.qloc.de/index.php/Absichern_eines_Linux_Servers

Right here we´d like to mention the server configuration files for many more security settings (like access/login, ACL-access-rights, log, bandwidth and server-ports (now "client"-ports) to open). Also search for adequate modules resp. securing server-extensions.

- Apache: mod_evasive against DDoS, mod_cband as traffic-Cop
- Fail2Ban for the https-vHosts- resp. htaccess authentification
- 24/7 monitoring with SMS alerting through an SMS Gateway via monit
- encrypted backups in two different computer centers
- instead of unencrypted ftp: SFTP. Transfer gets encrypted through sshd.
Configure an ftp-server working with ssl-encryption, it es similar to POP3 and IMAP. Then the transfers get secure, noone can read data.
Forbid anonymous accounts and run the ftp server in a chroot environment. This keeps away most annoynances.
Use ssh instead of ftpd just relying on ssh too.
Normalerweise ist das Verbinden mit einem FTP-Server mit SSL nicht schwieriger als mit einem ohne.
Just configure the ftp-client for the SSL-ecnryption and he will connect. The everyting works like connecting with a ftp-server without SSL. One will be just asked, if the certificate is accespted.
SSH use port 22. It is possible to upload files too, but the user once logged in has the possibility to access the system- except the account is chrooted.
...
https://serversupportforum.de/forum/security/28079-abschottung-wie-geht-es-nun-weiter-2.html

OKMemory-protection-function (protection against server-breakdowns):
This function is be abled to separate the RAM into areas and distinguish processes the way, that programmers or breakdowns do not affect the stability of other processes or impairs the whole system (RAM-protection).
Server-breakdown-protection:
Low-Voltage-protection (UVP)
Overvoltage-protection (OVP)
Short circuit protection: (SCP)
Overload-protection (OPP)
Over current stream protection (OCP)
Over heat protection (OTP)
Japanese 105 degree condensators (lifetime of the netadapter)
Fire detectors (server room)


Chroot ( Befehl chroot ): is part of commands resp. communication-protocols like mount, ssh, stfp and effects one of the most serious hard threats! Help is given by sandboxes and/or/including the locking of the shells of the user (unfortunately a sandbox only, if a program works upon sandboxes, for example tor-browser does not (but migh have its own one). We are going to talk about this problem!

Chroot and Chroot-Jail (Chroot-Enviroment, Chroot-Sandbox)
https://wiki.debian.org/chroot
Step by step: https://www.linuxwiki.de/chroot

Chroot and Chroot-Jail, debian.org, wikipedia.org
A chroot on Unix operating systems is an operation, that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term "chroot" may refer to the chroot system call or the chroot wrapper program. The modified environment is called a chroot jail.
https://wiki.debian.org/chroot
https://en.wikipedia.org/wiki/Chroot

Linux - Keeping users inside their home directory - Super User
If you use chroot like this, everything the user needs (executables, libraries, etc.) has to be within the chrooted directory. I´ve seen ftp-servers set up that way, with static executables copied into a bin directory.
https://superuser.com/questions/396282/keeping-users-inside-their-home-directory

How to configure ProFTPD to chroot users to /home directory or any ...
If you´re using ProFTPD user on a Linux server, you most certainly have wondered, how you can configure the FTP server to chroot (or jail) it´s users to a particular ...
https://www.pc-freak.net/blog/how-to-configure-proftpd-to-chroot-users-to-home-directory-or-any-other-selected-directory-2

Furthermore past the configuration the server can run in a lower, but even more safer runlevel like runlevel 3 (command: "init 3") than common runlevel 5 or 6. mgetty resp. mingetty: terminal-switch ( ALT + CTRL + F1 up to F7), server configuration file (if it is possible there), systemd (sysctl) or chkconfig (to set the runlevel for the server during system boot)

OKCoreboot - flashing the BIOS: Manufacturer BIOS-replacement by the Linux-System, https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil1/
"System security already defines upon the hardware-level. Even today it might be difficult to find out WLAN-chipsets open source driver are provided. Exceptions like for AR9170 chipset are provided, same for the BIOS.
Idally Coreboot can replace the actual BIOS for a open-source, free BIOS. Otherwise hidden backdoors are risked usable by secret services.
We can be only really "secure", if open-source is used by hard- and software. [...].
Therefore I am urged for the project "hardened Linux" to make an exception and like to repeat, that this project does not protect against directed secret services.
I...] As I wrote with the first article, a secure operating system can only be obtained using Linux resp. Unix."
https://www.coreboot.org/Supported_Motherboards # u.a.
Many BIOS-variants are associated with software failures. Getting rid of them often implies updates from manufacturer. Beneath these unintended restrictions basic approaches exist to implement more functions in proprietary firmware (BIOS resp. UEFI) in future, that make afraid of more conscious restrictions of functionality.
Quelle: https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil1/
https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil2/
https://de.wikipedia.org/wiki/Coreboot
https://www.golem.de/0912/72132.html
With Coreboot the system-startup-time can also be declined.

OKCopy the Bios-flashing file (.ROM) from manufacturer-DVD into the boot-partition too, in order to get loaded after pressing the function-key or the Bios-setup to flash, if required!

OKhal resp. haldaemon extends the boot-startup-time for C6 (Centos 6) resp. "previous" mdv (2010-2012) until the KDE-login (kdm) without regarding the LUKS-passwort-login and harddisc-check by fsck (we thought of each boot) serious hard from around 20 seconds up to more than one minute ! hal resp. hald (haldaemon) might work faster by creating the file haldaemon within /etc/sysconfig with the follwoing include:

--child-timeout=15 # Begrenzung der Kindprozesse --daemon=no

In /etc/dbus-1/system.d/hal.conf forbid some up to now allowed methods and devices, eventually like LightSensor and WakeOnLan, and in another subdirectorys haldaemon referring files like *dell-computer* eventually can just be deleted (removed)..

OKKonfiguration der Netzwerkschnittstelle /etc/udev/rules.d/70-persistent-net.rules for mainboard ASUS ITX-220

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
# Drakx-net rule for eth0 (cb:ad:b3:81:1a:53)

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="cb:ad:b3:81:1a:53",ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
# PCI device 0x10ec:0x8168 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="0b:01:ab:ba:3b:15", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"

First entry configures the interface as we hope NAME="eth0" for udev for the original mac-address in ATTR..., this is not the mac-address renewed by macchanger within /etc/rc.local later on, else set this exchanged one (renewed by macchanger already at this place), the second entry configures the PCI-interface of ITX-220 for, as we hope, NAME="eth1". This PCI-entry, or both entries, might be automatically generated by udev. Lookout, that belonging NAME is always eth0 is always the NAME in the first case (first entry) and eth1 in the last case (second entry) (and never eth0).

OKifcfg-eth0

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=no
METRIC=5
MII_NOT_SUPPORTED=yes
USERCTL=yes
DNS1=127.0.0.1
RESOLV_MODS=yes
LINK_DETECTION_DELAY=6
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=yes
DHCP_CLIENT=dhclient -4 -cf /etc/dhcp/dhclient.conf eth0
NEEDHOSTNAME=no
PEERDNS=no
PEERYP=no
PEERNTPD=no
TYPE=Ethernet
IPADDR=0.0.0.0
MACADDR=e1:a0:b0:cd:a1:b8 # original OR "black masked" hardware address (ethernet-card): Try /etc/rc.local. "macchanger --mac e1:a0:b0:cd:a1:b8 eth0" and set in Linfw3 "your IP" to the by this mac-address new resp. origin pregiven one (local IP) next (or past) the connection-build-up. The computer (system) might break down after all these changes, but after some newstarts, the system will gain its old´n good stability right back.


More network troubleshooting:
https://www.pcwelt.de/a/wlan-probleme-so-loesen-sie-typische-aergernisse,3389115 https://www.pcwelt.de/ratgeber/Fehlersuche-im-Netzwerk-LAN-WLAN-1953158.html

OKIntall the actual netprofile (rpm: omv2015, pclos, rosa2014.1) only; never choose other (elder) buggish versions!

OKIf the interface is eth0 only, delete the following files:

rm -df /etc/netprofile/profiles/default/network/var/lib/dhcp/dhclient-eth1.leases
rm -df /etc/netprofile/profiles/default/network/var/lib/dhcp/dhclient-eth1.leases
...

OKRemove all other interfaces except eth0 from drbl.conf, choose eth0 only, if eth0 is the net-interface
drbl.conf
nano cd /etc/drbl/drbl.conf

There should be only one interface named eth0 be configured, even shown in MCC. If the net-adapter does not build up the connection, look out for all passages in files with eth not valued zero like eth1, eth2 and so on! Use grep -R to find such files and remove them (such passages)! Update dhclient (el6) and netprofile including all netprofile-plugins to netprofile (rosa2016.1, omv4)! If there are still problems, have a hort time to plug out the net adapter of the DSL-Modem to plug it in again for a new connection build-up with the DSL-provider. Now the net adapter should work fine and, as we hope forever!

OKNetz-Aliase

/etc/networks

default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0 # link-local 169.254.0.0 # In a computer network, a link-local address is a network address that is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to. Link-local addresses are most often assigned automatically through a process known as stateless address autoconfiguration or link-local address autoconfiguration. Link-local addresses are not guaranteed to be unique beyond a single network segment. Routers therefore do not forward packets with link-local addresses.
For protocols that have only link-local addresses, such as Ethernet,[dubious - discuss] hardware addresses assigned by manufacturers in networking elements are unique, consisting of a vendor identification and a serial identifier. Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16 in CIDR notation. In IPv6, they are assigned the address block fe80::/10, https://en.wikipedia.org/wiki/Link-local_address.


OKPreload-acceleration
The Tool Preload accelerates not the boot time, but program starts or autostarts (under "Start programs"), that are used often or regulary awaiting past each system login. This simple service protcols the program favorites and loads them into the RAM right before. The program start accelerates by this. Preload is obtainable as rpm and deb packet.


A manual configuration is not essential, but possible ("/etc/preload.conf") (start preload for example within /etc/rc.local)
https://www.pcwelt.de/ratgeber/Schneller_Linux-Start_ueber_Systemd_-_so_geht_s-Dienste_optimieren-8259105.html

OKrkhunter, chkrootkit, Lynis - security check
With lynis an audit can simply be made:

su
lynis audit system --quick

After the first run one gets confronted with the total result named "Hardening index". "Warnings" and "Suggestions" howto secure resp. harden the system are shown during the scrolling.
https://www.kuketz-blog.de/linux-systemhaertung-basis-linux-haerten-teil2/

OKDelete X Windows on server
X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:

# yum groupremove "X Window System"
On CentOS 7/RHEL 7 server use the following commands:
# yum group remove "GNOME Desktop"
# yum group remove "KDE Plasma Workspaces"
# yum group remove "Server with GUI"
# yum group remove "MATE Desktop"

https://www.cyberciti.biz/tips/linux-security.html

OKX-Server: Howto secure up: Host- and cookie-based access
he number 1 rated high risk system vulnerability noted by the recent ISS audit of BNL was the use of "xhost +" or an open X display. Using "xhost +" allows anyone the ability to watch your keystrokes, capture windows and insert command strings into your windows. This situation is particularly bad when you have root access to a machine. There is no legitimate reason to run "xhost +". Most people will be using ssh to make their connections to other machines than their desktop and ssh tunnels X11 traffic, eliminating any need for "xhost +". To use turn on X11 forwarding with ssh call it like:

ssh -X host.domain

This can be turned on by default by adding the following to DOLLARSIGNHOME/.ssh/config:

Host *.bnl.gov
ForwardX11 yes

Make sure of the following things:

You should not set your DISPLAY variable, ssh will do it for you. It will look something like:

echo DOLLARSIGNDISPLAY
localhost:12.0

X11 forwarding must be allowed by the SSH server. Check /etc/ssh/sshd_config for a line saying "X11Forwarding yes".
On Linux/UNIX machines, the "xhost +" command can be issued at many locations, so you will have to remember, where you did it or find the location to turn it off (I believe that all recent version of the Linux X server have "xhost -" as the default). If you cannot find where the "xhost +" command is issued, adding a call to "xhost -" somewhere will turn it off.

Some of the most common files where you can find the "xhost +" command are in the X11 startup files. These file are

DOLLARSIGNHOME/.Xclients
DOLLARSIGNHOME/.Xclients.gnome
DOLLARSIGNHOME/.Xclients.kde
DOLLARSIGNHOME/.xinitrc
DOLLARSIGNHOMN/.xsession
/etc/X11/xinit/xinitrc
/usr/X11R6/bin/startx
/usr/X11R6/lib/X11/xdm/Xsession

Also, doing a man xinit will give you more information on startup files which are executed when one starts up X11.

If you want to test to see whether you have fixed the "xhost +" problem on your systems, log into another unix computer, disable the ssh X11 encryption channel by resetting the DOLLARSIGNDISPLAY environment variable back to the server port 0 of your desktop, and then try starting up an xclock. For example, type the following commands

ssh youraccount@yourfavoritunixserver.phy.bnl.gov
setenv DISPLAY yourdesktop.phy.bnl.gov:0
xclock

If an xclock pops up on your screen, you still have not properly enabled X11 access control. You should contact your computer liaison for further assistance.

Xterminals
To enable access control (set xhost -) on Tektronix Xterminals bring up the "Setup" menu (F3 key). In the "Configuration Summaries" pull down menu select "X Environment". On the X Environment page toggle "Enable Access Control" to "Yes". Return to the Main Menu and then "Save Settings to NVRAM". The terminal will now reject all X connections except those coming from the machine you connect to via XDM and those coming through tunnels to you XDM host created when you ssh to another machine. If you run "xhost +" on the XDM host, then you will again disable access control, so you should make sure that you do not do this in any of the X setup files (see the UNIX discussion above).

The following is an e-mail from Ofer Rind, who tells us how to enable X11 authentication on NCD Xterminals. Thanks Ofer for you post.
-----------
- Disabling Xhost+ on an Xterminal
(NB: This was tried on both NCD and Textronix Xterminals and seemed to work; however, your mileage may vary. The description is for an NCD.) Press Alt-F3 to pull up the Xterminal control bar. Select "Change Setup Parameters" from the "Setup" menu. When the setup parameters window pops up, select "Access Control." This will expand the menu, revealing an option called "Enable Access Control." Turn this on by pressing the adjacent square. Then, at the bottom of setup window, press the "Apply" button to effect the change. This sometimes takes several seconds, be patient. When the arrow cursor returns, close the setup window and return to your previously scheduled program. X access control should now (hopefully) be enabled. NOTE that this access control can be superseded by a user who logs in on the Xterm and sets "xhost +".
Quelle: http://www.phy.bnl.gov/cybersecurity/old/xhost_plus.html

So our settings typed in terminal and /etc/rc.local after login to superuser by command "su" are (reset by "xhost +" on problems past the login):

xhost -
xhost +si:localuser:local-username

xhost +si:localuser:lokaler-Benutzername# lokaler-Benutzername: nur user, d.h. alle anderen Benutzer sind gesperrt, darunter Benutzer root, surfuser und toruser
xhost -si:localuser:root # bereits mit "xhost -"
xhost -si:localuser:toruser # bereits mit "xhost -"
xhost -si:localuser:surfuser # bereits mit "xhost -"
xhost -inet6:user@ # Das @-Zeichen muss bei inet6 (IPv6) im Unterschied zu si hinter dem Benutzernamen user stehen.
xhost -nis:user@ # nis: Secure RPC network

Output of command xhost:
access control enabled, only authorized clients can connect
SI:localuser:local-username


Do not set it for any other user, even NOT root! These simple two rules (for example in /etc/rc.local) make the system once more mouseclick-fast..

OKX-Server, cookie-based access: MIT-MAGIC-COOKIE-1
When using xdm (X Display Manager) to log in, you get a much better access method: MIT-MAGIC-COOKIE-1.
A 128-bit "cookie" is generated and stored in your .Xauthority file. If you need to allow a remote machine access to your display, you can use the xauth command and the information in your .Xauthority file to provide access to only that connection. See the Remote-X-Apps mini-howto, available at
http://metalab.unc.edu/LDP/HOWTO/mini/Remote-X-Apps.html.

Cookie-based access
The cookie-based authorization methods are based on choosing a magic cookie (an arbitrary piece of data) and passing it to the X display server when it is started; every client that can prove having knowledge of this cookie is then authorized connection to the server.
These cookies are created by a separate program and stored in the file .Xauthority in the user´s home directory, by default. As a result, every program run by the client on the local computer can access this file and therefore the cookie that is necessary for being authorized by the server. If the user wants to run a program from another computer on the network, the cookie has to be copied to that other computer. How the cookie is copied is a system-dependent issue: for example, on Unix-like platforms, scp can be used to copy the cookie.
The two systems using this method are MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1. In the first method, the client simply sends the cookie when requested to authenticate. In the second method, a secret key is also stored in the .Xauthority file. The client creates a string by concatenating the current time, a transport-dependent identifier, and the cookie, encrypts the resulting string, and sends it to the server.
The xauth application is a utility for accessing the .Xauthority file. The environment variable XAUTHORITY can be defined to override the name and location of that cookie file.
The Inter-Client Exchange (ICE) Protocol implemented by the Inter-Client Exchange Library for direct communication between X11 clients uses the same MIT-MAGIC-COOKIE-1 authentication method, but has its own iceauth utility for accessing its own .ICEauthority file, the location of which can be overridden with the environment variable ICEAUTHORITY. ICE is used, for example, by DCOP and the X Session Management protocol (XSMP).
https://en.wikipedia.org/wiki/X_Window_authorization

Fetch the magic cookie entry relevant to your local display:
[garth@server1 ~]DOLLARSIGN echo xauth add xauth list DOLLARSIGN{DISPLAY#localhost}
xauth add server1.localdomain/unix:12 MIT-MAGIC-COOKIE-1 2928a6e16b7d6d57041dcee632764b72
Switch user to "oracle" and add the entry into your /home/oracle/.Xauthority file (by copying the ‘xauth add…´ line from above:

[garth@server1 ~]DOLLARSIGN sudo su - oracle
[oracle@server1 garth]DOLLARSIGN echo DOLLARSIGNDISPLAY
localhost:12.0
[oracle@server1 garth]DOLLARSIGN xauth add server1.localdomain/unix:12 MIT-MAGIC-COOKIE-1 2928a6e16b7d6d57041dcee632764b72
xauth: creating new authority file /home/oracle/.Xauthority

After this your X-session should work…try something like "xcalc" or "firefox" to test it first and you should be ready to go!
http://www.snapdba.com/2013/02/ssh-x-11-forwarding-and-magic-cookies/

OKAlso use ssh to allow secure X connections. This has the advantage of also being transparent to the end user, and means that no unencrypted data flows across the network.

OKAlso disable any remote connections to your X server by using the ´-nolisten tcp´ option to your X server. This will prevent any network connections to your server over tcp sockets.
Take a look at the Xsecurity man page for more information on X security. The safe bet is to use xdm to login to your console and then use ssh to go to remote sites on which you wish to run X programs.
http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698

kdm: /usr/share/config/kdm/kdmrc

...
AllowNullPasswd=false
AllowRootLogin=false
AllowShutdown=None
AutoReLogin=false
...
ServerArgsLocal=-deferglyphs 16 -nolisten tcp
...

OKX11: Graphic card adjustments, especially for opengl- and SDL-games
Adjustment influences system and graphic card.
BIOS-Setup: Northbridge -> COMBO-mode
Start driconf (hardware see data sheed)
Activate:
1) performance
+ synchronisation follows the verticale frequency rate, so that programs choose the minimal one
+ buffer object reuse: Enable reuse of all size of buffered objects
2 ) display (screen) quality
+ activate S3TC texture compression, even if unsupported by software
3) on failures
+ activate the immediate emptyting of the batch buffer each call for char
+ activate the immediate empying of the GPU-buffer
+ disable throttling on first batch after flush
+ force GLSL extension default behavior to "warn"
+ disable backslash-based line continuation in GLSL-source
+ disable dual source blending
+ perform code generation at shader link time

OKDeny administrative remote access
/etc/security/access.conf should be changed the way, that a remote access into an administrative account becomes impossible. By this user have to start the program su (or sudo) for administrative rights, so that there is always a track to check.
Add the following line into /etc/security/access.conf:

-:wheel:ALL EXCEPT LOCAL

Do not forget to activate pam-module each service (or the standard configuration), if you want changings within /etc/security/access.conf get noticed.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html

OKHow to Check Password Expiration of User
In Linux, user´s passwords are stored in ´/etc/shadow´ file in encrypted format. To check password expiration of user´s, you need to use ´chage´ command. It displays information of password expiration details along with last password change date. These details are used by system to decide when a user must change his/her password. To view any existing user´s aging information such as expiry date and time, use the following command.

#chage -l username
To change password aging of any user, use the following command.
#chage -M 60 username
#chage -M 60 -m 7 -W 7 userName
Parameters
-M Set maximum number of days
-m Set minimum number of days

Quelle: https://www.tecmint.com/linux-server-hardening-security-tips/

OKChecking Accounts for Empty Passwords
Any account having an empty password means its opened for unauthorized access to anyone on the web and it´s a part of security within a Linux server. So, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable. To check if there were any accounts with empty password, use the following command.

cat /etc/shadow | awk -F: ´(DOLLARSIGN2==""){print DOLLARSIGN1}´

https://www.tecmint.com/linux-server-hardening-security-tips/

OKKeep a (daily) watch onlog-files (for example with logwatch) as much as the last logins in /var/log/lastlog
With the help of the command lastlog the content from /var/log/lastlog can be transferred into a readable format.
https://www.stefanux.de/wiki/doku.php/linux/hardening

OKServices should not run as root-processes
deactivate services not needed (smalling the place for attacks): check out opened ports
netstat -lnptu
Internetsuperserver
veralteter inetd noch nötig?
xinetd sicher konfigurieren
(gefährdete) Dienste absichern:
nur auf einer bestimmten IP lauschen, auf andere Ports wechseln
evtl. Port-knocking einsetzen (Beispiel SSH)
Bind mit chroot
sicheren FTP-Server einsetzen: vsftp oder pure-ftpd
unsichere Dienste nicht für kritische Aufgaben (Login) zulassen:
FTP
Telnet
veraltete r-Dienste (rsh, rlogin, …)
nur notwendige Benutzerkonten einrichten
regelmäßig die Passwörter der Benutzer auf unsichere Passwörter überprüfen
leere Passwörter nicht erlauben
Kernel absichern
eigenen (minimalen) Kernel bauen
Integritätschecker, z.B. tripwire als cronjob laufen lassen. Die Signaturen sollten auf einem sicheren Drittsystem gelagert werden bzw. read-only gemountet sein (z. B. auf einer CD oder Diskette mit Schreibschutz)
Die Benutzung von Shadow ist meist schon aktiviert (shadowconfig on) Protokolle (Logfiles) sichern:
Loghost einrichten oder
Logfiles absichern: Mit Secure Logging von Core-Wisdom können Sie Logfiles auch in mySQL-Datenbanken ablegen oder per Fingerabdruck gegen Veränderung sichern.
msyslogd oder
logrotate → Log per mail
regelmäßig nach suid-Programme suchen:
automatisch mit Programmen:
sxid schickt eine tägliche Report über dazugekommene suid/sgid per mail zu
manuell:
root-suids:
find / -perm -4000 2>/dev/null
allgemein suids:
find / -perm +6000
sgid-programme:
find / -perm -2000 2>/dev/null
volle Ausgabe mit allen Rechten bekommt man mit:
ls -lad --full-time ´find / -perm +6000´
Banner (Versionsnummern etc.) von Diensten abschalten
in /etc/motd die Kernelversion nicht anzeigen lassen, stattdessen Warnungen für Angreifer
SSH: Im Sourcecode
Webserver:
Logfiles studieren
Monitoring betreiben
Source: https://www.stefanux.de/wiki/doku.php/linux/hardening

OKSVGA
SVGAlib programs are typically SUID-root in order to access all your Linux machine´s video hardware. This makes them very dangerous. If they crash, you typically need to reboot your machine to get a usable console back. Make sure any SVGA programs you are running are authentic and can at least be somewhat trusted. Even better, don´t run them at all.
Quelle: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698

OKGGI (Generic Graphics Interface project)
The Linux GGI project is trying to solve several of the problems with video interfaces on Linux. GGI will move a small piece of the video code into the Linux kernel, and then control access to the video system. This means GGI will be able to restore your console at any time to a known good state. They will also allow a secure attention key, so you can be sure that there is no Trojan horse login program running on your console.
http://synergy.caltech.edu/~ggi/
Source: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698

OKDisable USB stick to detect (recommended for companies etc.)
Many times it happens that we want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ´/etc/modprobe.d/no-usb´ and adding below line will not detect USB storage.

install usb-storage /bin/true

https://www.tecmint.com/linux-server-hardening-security-tips/

Disbale USB/firewire/thunderbolt-devices
echo ";install usb-storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf
echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
echo ";blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf

Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system.
https://www.cyberciti.biz/tips/linux-security.html

OKSystem-Banner
Formulate any "welcome"-text after the login into the server on the system in /usr/lib/issue.net to make unwanted users really think, if to proceed or if it would be better to log out or get away..

OKHow to Spoof a MAC Address (identifying hardware address of the ethernet card) permanently [...] A 48-bit MAC address (e.g., 08:4f:b5:05:56:a0) is a globally unique identifier associated with a physical network interface, which is assigned by a manufacturer of the corresponding network interface card. Higher 24 bits in a MAC address (also known as OUI or "Organizationally Unique Identifier") uniquely identify the organization which has issued the MAC address, so that there is no conflict among all existing MAC addresses.
While a MAC address is a manufacturer-assigned hardware address, it can actually be modified by a user. This practice is often called "MAC address spoofing." In this tutorial, I am going to show how to spoof the MAC address of a network interface on Linux.
Why Spoof a MAC Address?
There could be several technical reasons you may want to change a MAC address. Some ISPs authenticate a subscriber´s Internet connection via the MAC address of their home router. Suppose your router is just broken in such a scenario. While your ISP re-establishes your Internet access with a new router, you could temporarily restore the Internet access by changing the MAC address of your computer to that of the broken router.
Many DHCP servers lease IP addresses based on MAC addresses. Suppose for any reason you need to get a different IP address via DHCP than the current one you have. Then you could spoof your MAC address to get a new IP address via DHCP, instead of waiting for the current DHCP lease to expire who knows when.
Technical reasons aside, there are also legitimate privacy and security reasons why you wish to hide your real MAC address. Unlike your layer-3 IP address which can change depending on the networks you are connected to, your MAC address can uniquely identify you wherever you go. Call me a paranoid, but you know what this means to your privacy. There is also an exploit known as piggybacking, where a hacker snoops on your MAC address on a public WiFi network, and attempts to impersonate you using your MAC address while you are away.
[...] If you want to spoof your MAC address permanently across reboots, you can specify the spoofed MAC address in interface configuration files. For example, if you want to change the MAC address of eth0, do the following.


macchanger: Some things have to be done: "macchanger -r eth0" suggests a random MAC-address to add into /etc/rc.local (by "macchanger --mac new-MAC-address eth0"), same in /etc/sysconfig/network-scripts/ifcfg-eth0 and change the by this new obtained, local IP in LINFW3 (Dialog -> NONYESNO -> own IP), eventually restart the system.
On Fedora, CentOS or RHEL:

nano /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
MACADDR=00:00:00:00:00:01

Alternatively, you can create a custom startup script in /etc/NetworkManager/dispatcher.d as follows, especially if you are using Network Manager. I assume that you already installed macchanger.

nano /etc/NetworkManager/dispatcher.d/000-changemac

#!/bin/bash

case "DOLLARSIGN2" in
up)
macchanger --mac=00:00:00:00:00:01 "DOLLARSIGN1"
;;
esac

... or macchanger -r "DOLLARSIGN1" Quelle: https://xmodulo.com/spoof-mac-address-network-interface-linux.html
This might depend on the hardware. "macchanger -r eth0" can be started at the end of a dialin-script like /usr/sbin/ifup or ifup-eth too for example. The same is possible by ifconfig.

If all this does not function, try same or similar command manually by terminal after the dialin.

Find out the actual set MAC- resp. MAC-Fake-Adresse by

macchanger -s eth0 or

ifconfig

OKAdjustments within /etc/sysctl/network-scripts/ifcfg-eth0

DEVICE=eth0
# MACADRESS=....
BOOTPROTO=dhcp
ONBOOT=no # automized dialin each boot
METRIC=5
MII_NOT_SUPPORTED=yes
USERCTL=yes # user are allowed to configure the dialin and to dial in itself
DNS1=127.0.0.1
DNS2=203.13.81.14
RESOLV_MODS=yes
LINK_DETECTION_DELAY=6
IPV6INIT=no # perfer IPv4 with dynamic (changing) IP
IPV6TO4INIT=no
ACCOUNTING=no
DHCP_CLIENT=dhclient
NEEDHOSTNAME=no
PEERDNS=no
PEERYP=no
PEERNTPD=no

OKResolver configuration file
File /etc/host.conf contains special information, how to configure the resolver library with a configuration keyword each line, followed by belonging configuration information.
/etc/host.conf


order hosts,bind
multi on
reorder on
nospoof on
spoofalert on


Quelle: man host.conf

OKNetworkManager-Configuration by /etc/NetworkManager/NetworkManager.conf:

[main]
dns=none
plugins=keyfile
dhcp=dhclient
rc-manager=unmanaged

[ifupdown]
managed=false

[logging]
level=error
domains=none

More (secure) configurations of he NetworkManager by NetworkManager.conf see https://developer.gnome.org/NetworkManager/1.11/NetworkManager.conf.html

OKDeactivate NIS
... in order to avoid password-sharing. For this, LDAP is recommended.

OKSicheres finger
Es gibt viele finger-Daemon, als besonders sicher gilt ffingerd. Hier kann die Anzahl der zur selben Zeit laufenden Prozesse und die Anzahl der darauf zugreifenden Hosts limitiert und das verfügbare Interface eingegrenzt werden.

OKSichere Nutzung von PCs unter Ubuntu (und andere, Anm., Gooken)- für kleine Unternehmen und Selbstständige v2.0 (PDF, 189KB, Datei ist barrierefrei⁄barrierearm), BSI, 01.08.2018
https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_009.html

OKGuidance
EUD Security Guidance: Ubuntu 18.04 LTS

Created: 24 Jul 2018
Updated: 24 Jul 2018
https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts

OKpaxctld von grsecurity.net (Aufruf paxctld in /etc/rc.local mit "paxctld -c /etc/paxctld.conf -d -p /var/run/paxctld"
https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart
/etc/paxctld.conf (allowed is s,r,p,m and E)
e,E - https://pax.grsecurity.net/docs/emutramp.txt
m,M - http://pax.grsecurity.net/docs/mprotect.txt
p,P - http://pax.grsecurity.net/docs/pageexec.txt
r,R - http://pax.grsecurity.net/docs/randmmap.txt
s,S - http://pax.grsecurity.net/docs/segmexec.txt
https://en.wikibooks.org/wiki/Grsecurity/Additional_Utilities

#gdb
# /usr/bin/gdb srpm

# steam
# /usr/lib32/ld-linux.so.2 m
# /usr/lib64/ld-linux.so.2 m

# node
# /usr/bin/node m
# /usr/bin/perf m

# firefox
# /usr/lib64/firefox/firefox m
# /usr/lib64/palemoon/palemoon m

# tor-browser
# /home/toruser/tor*/Browser/firefox m

# /usr/lib64/thunderbird/thunderbird m

# oxide
/usr/lib/x86_64-linux-gnu/oxide-qt/oxide-renderer m

# valgrind
/usr/bin/valgrind m

# python
/usr/bin/python E
/usr/bin/python2.6 E
/usr/bin/python2.7 E
/usr/bin/python3.2mu E

# java
# /usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/java m
# /usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/javaws m
# /usr/lib/jvm/java-6-openjdk/jre/bin/java m
# /usr/lib/jvm/java-6-openjdk/jre/bin/java m
# /usr/lib/jvm/java-8-openjdk/jre/bin/java m
# /usr/lib/jvm/oracle-jdk-bin-1.8/bin/java m
# /usr/lib/jvm/oracle-jdk-bin-1.8/jre/bin/java m
# /usr/lib/jvm/zulu-8-amd64/bin/java m

# openrc /lib/rc/bin/lsb2rcconf E

# tuned
# /usr/sbin/tuned m

# libreoffice
# Ubuntu doesn´t seem to carry this patch:
# https://bz.apache.org/ooo/show_bug.cgi?id=80816
# libreoffice will still run fine without the below line,
# but it will report an RWX mprotect attempt
# /usr/lib/libreoffice/program/soffice.bin m


OKLock virtual consoles except tty7 by default
/etc/inittab, comment in:
...
# Run gettys in standard runlevels
#1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
...

Start as few root-processes as possible!

OKRemaining essential root-processes except those started by kernel (kthreadd):


init
X # xhost-access-control or run in usermode, see https://wiki.gentoo.org/wiki/Non_root_Xorg, and X with option "--nolisten tcp" (by default, check it out by pressing keys ESC + STRL and moving mouse over process X; configuration for X: /etc/X11/xorg.conf section "ServerLayout")
hald # makes acpid superfluosly
console-kit-daemon # needed only for the login, timeout possible
wpa-supplicant # part of NetworkManager
psad # or iptables: psd, port-scan-detection; start only with securing options like --no-rdns, --no-whois and --no-snort-sids

udevd # devices and interfaces
kdm
syslogd
klogd
gpm
cupsd
dhclient # or dhcpd etc.
pam_timestamp_c
master
spamd # alternatively try bogofilter for example always running in usermode

OKLost or forgotten password, no access onto the system?
The steps you need to take in order to recover from this depend on whether or not you have applied the suggested procedure for limiting access to lilo and your system´s BIOS.
If you have limited both, you need to disable the BIOS setting that only allows booting from the hard disk before proceeding. If you have also forgotten your BIOS password, you will have to reset your BIOS by opening the system and manually removing the BIOS battery.
Once you have enabled booting from a CD-ROM or diskette enable, try the following:

Boot-up from a rescue disk and start the kernel

Go to the virtual console (Alt+F2)

Mount the hard disk where your /root is

Edit (Debian 2.2 rescue disk comes with the editor ae, and Debian 3.0 comes with nano-tiny which is similar to vi) /etc/shadow and change the line:

root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)

to:

root::XXXX:X:XXXX:X:::

This will remove the forgotten root password, contained in the first colon separated field after the user name. Save the file, reboot the system and login with root using an empty password. Remember to reset the password. This will work unless you have configured the system more tightly, i.e. if you have not allowed users to have null passwords or not allowed root to login from the console.
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html

OKChecking file system integrity
Are you sure /bin/login on your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in clear-text version all over the Internet?
The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you´re on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries.
Common tools used for this are sxid, aide (Advanced Intrusion Detection Environment), tripwire, integrit and samhain. Installing debsums will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware: those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read Do periodic integrity checks, Section 10.2 and Taking a snapshot of the system, Section 4.19.
You might want to use locate to index the whole filesystem, if so, consider the implications of that. The Debian findutils package contains locate which runs as user nobody, and so it only indexes files which are visible to everybody. However, if you change its behaviour you will make all file locations visible to all users. If you want to index all the filesystem (not the bits that the user nobody can see) you can replace locate with the package slocate. slocate is labeled as a security enhanced version of GNU locate, but it actually provides additional file-locating functionality. When using slocate, the user only sees the actually accessible files and you can exclude any files or directories on the system. The slocate package runs its update process with higher privledges than locate, and indexes every file. Users are then able to quickly search for every file which they are able to see. slocate doesn´t let them see new files; it filters the output based on your UID.
You might want to use bsign or elfsign. elfsign provides an utility to add a digital signature to an ELF binary and a second utility to verify that signature. The current implementation uses PKI to sign the checksum of the binary. The benefits of doing this are that it enables one to determine if a binary has been modified and who created it. bsign uses GPG, elfsign uses PKI (X.509) certificates (OpenSSL).
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

Solution: encryption of the root-partition, see Full System Encryption (FSE)

OKLifetime hardware, conductor pathes: secured contacts on graphic cards, boards and platines
Sounds like it is our last advice (but of course it isn´t), not to forget to put some chalk into the computer tower inside. The trick is to keep contacts on mainboard including graphic-chip resp. graphic card and other electronic devices always rust-proof and save from moisture!

OKRemove online accounts of internet service provider
Phishing, profiling, spam, data handling, investigations by law, organized criminality, secret agencies, ad networks, large server farms, artificial intelligence, social bots, hacks, doxxing, honeypots, man-in-the-middle-attacks, ...: Before starting with the installation of "Universal Linux 2010" resp. before going to update programs and system, try to remove as much online-accounts as possible, that means as making sense for you: social media, Google, paypal, online banking, online shopping, ... This might become quit difficult: So read out belonging manuals and follow the instructions. For still existing accounts security settings should be made serious hard after the logins into the online portals.

OKAllround-protection through iptables-firewall Linfw3
Linfw3 can be downloaded during further below. With Linfw3 all hacker and all trojans can be blocked, if only the user like surfuser within a group like surfgroup are allowed the password protected start of processes going online into the net. Even superuser root resp. uid 0 belongs to all the user, who are not allowed going online, only processes started by (surfuser) of group (surfgroup). By this, programs can go online in a very easy way, after belonging ports once got opened in Linfw3. This is the main advantage. The next advantage: All passwords except the ones for the LUKS-encrypted root partition get irrelevant - even if others know them! The access rights for files should be set local for each user only onto <=700 ( what can be done automatically per "umask 077" within /etc/fstab, manually by chmod or graphically through the context menu). The last risk remains in the Chrooting, settings by msec like "Forbid root-access", "Forbid extern access for root/forbid chrooting" and/or Sandbox firejail prevent by locking the consoles of the user accounts (including root (uid 0, gid 0), but except surfuser). Even the shell-login of all system- and user-accounts except surfuser can be restricted to /sbin/nologin too - no login possible. This can be done with msec_gui or by a special UNIX/Linux-(bash-)command). ACL-access-control (request by getfacl, settings by setfacl) can restrict processes owned (started) by surfuser access on all kind of (exectuable) files too. Scripts over once opened (established) net-connections can be blocked by Firefox-Extensions ABP, noscript and RequestPolicyBlockedContinued resp. Firefox >= 64 with mechanisms against Cross-Site-Tracking/-Scripting and all other kind of tracking. Beneath this, the Port-Scan-Detektor psad or psd of iptables activated by Linfw3 does its best too! And do not forget FSE (Full System Encryption by LUKS/dm-crypt) thinking of the command mount and therefore also cryptsetup (LUKS) including such chroot... All in all the remaining risk is given only by the started root-processes from kernel from the house Linus Tovalds, although they get blocked by Linfw3 too as long as owned by root by the way already depicted. Especially one root-process envokes some distrust - X (the X-Server, including the graphic card driver), but X can be restricted by own ACl through the command xhost as described in some points from above. There it is described, howto start X with option "-nolisten tcp" and that X can also be started in normal usermode. To get total paranoid, MAC (control resp. restriction of process interaction) might interest too - but that really mustn´t.
This excurs specifies Linfw3, firejail, ACL-Access Control Lists, MAC, Intrusion Detection Systems (IDS, if needed), important Firefox-Extensions upon opened connections and further methods later on, past the section for updating.

SL-Banner Regardless from all Linux-distributions, one and the same Linux gets installed package by package, although this might not possible for each distribution as a fault of their specific architectures (library-structure and so on).

OKWe would prefer the most complete Linux by electing certain distributions getting mixed to call it slackware either by installing a brandnew distribution to mix it up after getting updated or by the backport concept we are going to describe here.
Linux resp. (backported) "Universal-Linux" can origin in mdv2010.1 for example. It is updated long-termed and consequently with Fedora Project (fc), especially CentOS 6 (el6) and CentOS 7 (el7) resp. Scientific Linux (sl6/el6, sl7/el7) and fc -> EPEL (el6, el7) and other el6/sl6 and el7/sl7, where each source package is listed directly under the binary one on pkgs.org. It finally managed to stop leaving rubbish over rubbish of packages from all the outworn over outworn distribution behind. The speciality for the backport-concept is, that almost one and the same version with its own releases get patched over patched in many cases for the same version by new releases, what is marked in the rpm-package name behind the point at the end of the package name, until the intern code does its work stable and secure. So one and the same package-version of the same release got fixed resp. picked out and overworked and overworked until security and functionality (as amost the best sign for security) are given, leading to new releases to one and the same versions. Nevertheless the version might differ resp. change in some, quit seldom cases too.

OKSecure Programming HOWTO, David A. Wheeler, 2015-09-19
This book provides a set of design and implementation guidelines for writing secure programs. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, PHP, Python, Tcl, and Ada95 are included. It especially covers Linux and Unix based systems, but much of its material applies to any system. For a current version of the book, see http://www.dwheeler.com/secure-programs
https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html

SuSE:
Suse Doc: Deployment Guide - Backporting Source Code
SUSE uses backports extensively. The information in this section helps you understand, why it can be deceptive to compare version numbers in order to judge ...
www.suse.com/documentation/sled11/book_sle_deployment/data/sec_update_backports.html

Debian:
Debian richtet neues Backports-Repositorium ein - Pro-Linux
Mit dem neuen Repositorium "lenny-backports-sloppy" stehen Debian-Anwendern künftig aktualisierte Programme ohne große Risiken und Mühen zur Verfügung. www.pro-linux.de/news/1/16241/debian-richtet-neues-backports-repositorium-ein.html

This backporting is provided for CentOS for more than 10 years (CentOS 6: from year 2010 until year 2026), accompanied by CentOS 7 (until 2027).
Installed Linux can be completed to talk about this one and only Linux by installing packages from many other distributions too.
You can read more about CentOS and this fact in our section for Updates.
Alternatively you can order this complete mdv2010 already in an FSE-encrypted form (full system encryption by dracut and LUKS) preinstalled on SSD, where all updates past the update expiration time of mdv2010 including those from CentOS el7 and el6 are already installed. Now, just unpack the tarball of an actual Firefox (actual or actual ESR, extended security release from CentOS or Rosalabs) and Thunderbird (actual ESR (el6, el7)) into a directory like /usr/lib64/firefox-any-name and /usr/lib64/thunderbird-any-name and link the executable files /usr/bin/firefox by the command "ln -sf /usr/lib64/firefox-any-name/firefox-bin /usr/bin/firefox" to update firefox in future following the firefox-INFO-menu. We are going to describe the update of Firefox (and Konqueror) explicitly further below. At last you care for a more or less actual GNU C standard library (glibc(pclos)), for this purpose we tested mga6, ver. 2.22-29 form 17. June 2018. Of course all already installed glibc-packages can be upgraded to mga6 (2.22-29) or higher) or main glibc-package (mga6) with all other glibc-packages coming from el6.

OK We decided us for kernel 4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) on the base of the GNU C Standard Library glibc-2.31 (pclos), glibc-2.22 (mga6) out of:

glibc (el8, pclos, mga6), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), libc6 (rosa2016.1, rosa2014.1), compat-glibc (el6), glib2.0-common (pclos, el6), glibc-i18ndata (pclos, mga6), glibc-headers (pclos, el6), glibc-static (el6), glibc-utils (pclos, mga6), glibc-profile (pclos, mga6), glibc-glibc_lsb (rosa2016.1, rosa2014.1), locales (pclos, mga6), glib2 (el6), prelink (mga6, mga7, mga5, pclos, rosa2016.1, rosa2014.1), lib64stdc++ (pclos, mga6) or (and this is our tested-well choice:) glibc complete mga6 or: glibc (pclos, mga6 main glibc, rest-rpm: el6), libstdc++ (mga6), libsigc++ (mga6)

In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.

additionally, but be careful, miroplayer (el6) and the MCC-printer-administration might not work anymore: lib64glib2 (rosa2014.1), lib64gio2 (rosa2014.1), lib64gobjet2 (rosa2014.1), lib64gmodule2 (rosa2014.1). If they do not, reinstall glib2 (el6) and glib2.0-common (el6).

You can get all such glibc-packages from pkgs.org and rpmfind.net without any problems, but the new filesystem of glibc for mga3 since version 2.17 consists of new linked directories in directory root named /bin, /sbin, /lib and /lib64, so that all of their files have to be copied into equal named directories of /usr: /usr/bin, /usr/sbin, /usr/lib and /usr/lib64. This can cause programs like terminal "konsole" not working anymore, so that the cursor remains in the upper left corner of the started terminal, to think about other terminals like the recommended xterm and the very secure rated but no unicode supporting aterm and the next step to do like installing package (rpm) shadow-utils. Konsole is still functioning only, after devpts is mounted in the device-configuration-file /etc/fstab. This can be done by the following entry:

none /dev/pts devpts mode=620,gid=5

with gid for tty and in the user-administration of MCC set user to a member of group tty,wheel,lp. Now it is possible to install many packages from more actual distributions like not only mdv2011 and mdv2012, but also Mageia Cauldron 1 up to 4 and especially Fedora Project resp. CentOS 6.8 el6 (release: 2010, modificiaton release date (rpm) CentOS- resp. SL-release: 03.08.2015) and el7 (in the last two cases with update-guarantees until year 2026).Now software-packages are provided by rpmfind.net and pkgs.org for CentOS (resp. el6, el7, Scientificlinux (sl6, el6), ALT Linux, Repoforge (el6.rf), CERT Forensics Tools, PUIAS Computational, KBS Extras Testing, P.N., Nux Dextop (el6.nux), Rpmforge (el6.rf), Epel (el6), Atomix, Russian Fedora (el6.ru), NauLinux School (el6.nau), Nau Linux Extras, LinuxTECH und Ghettoforge (el6.gf)), Mandriva mdv2010, mdv2011, mdv2012, Mageia5 down to Mageia 1, Rosa2014.1, Rosa2012.1, newest Fedora, OpenSuSE and Tarballs and programs for any other OS to emulate from everywhere. With el6 and el6 you can follow the Gentoo-GLSA (https://security.gentoo.org/glsa/ ) update security list. We list each package in our section for updates. This all can also be made for other distributions, annoying, if not. Folllowing our steps, this OpenSource-System full of device-driver can be made incomparible secure, while the iptables-firewall Linfw3 bewares the central meaning. For more details, please follow the details from our excurs as follows, especially in the section for updates. For this please notice, that one should not be forgotten: to make 1:1-backups during the installation process on at least one extern storage media, especially by command dd.

report from 21.10.2004, last update: 06.23.2017. If you can not see a menu on the left side, please click here.


Time for the system boot < 1 second


It was long ago, year 2010, my computer satisfied my needs, even in future. Soon you will agree. You can not make more secure what is secure, same by versatile and who really follows this report by an everlasting, 100% secure computer-system including a ultraslim 18W-WLED-Monitor (TÜV certified) for about 200€ power-consumption 20 up to 40W only, all for about 200 &euro. Many other models might interest too. On our linksites section for "News&Links" ( we even found out Rasperry Pi 3 and especally C.H.I.P., a 3-W-computer for 9&euro;, a model with much memory and as powerful as the smartphone. Further on we are going to present an independent from defragmentation and (included) virus-scanner and so on most secure Mandriva-Linux-computer-sytem from kiosks for only some Euro in year 2010, that is able to manage quit all one can imagine, because of its covering software seized in about more than 65 GB (15 DVD) quit for free. Not only the suspend-mode is working on our hardware, where the complete monitor gets "suspended", whenever you choose the resting mode resp. state (similar to the poweroff-state by hardware), Gooken of the computer tower blinks and Mandriva (2010) turns off all devices except RAM, in order to

"boot" the complete system in less than one second after pressing the powerbutton of your computer tower!

If this does not function, update acpid to at least 2.0.4 or el6. For these two suspend modes including hibernate of all in all four modes make yourself sure, that ACPI_2.0 is activated in the BIOS, that the SWAP-partition is sized by around 2 GB and that all USB-devices like usb-memory-stick are plugged out (umounted, umount and unplugged). Now the green LED of the computer-tower is blinking for mainboards like ITX-220 (details see data-sheed). Envoke the system again by pressing the power-buttom of the computer tower. Now a password request out of the OpenGL-screensaver (also used for the case of screen-locking) is made, but only if activated within power-management of systemsettings.

Here once again all energy saving modes (suspend modes) under "Universal Linux 2010" (backported system) in detail:
- blanked screen, readiness (passive) - dark blanked screen. Some power is already saved by this.
- locked screen - OpenGL-screensaver with user-password request - protection during all the (almost short kept) time, a user abandons the computer. Power is still consumpted, until power saving modes might get into effect.
- abandoned / suspended - The monitor is powered off (almost automatically after a some time set), but awakes again with the user activity like mouse-move, mouseclick or any keystroke. Saved power: 18 Watt monitor-power- consumption
- hibernation - the actual state gets saved into the SWAP-file, the computer seems to be "powered off completely" , while the BIOS blinks the green LED at the computer tower, but an awake resp. the backup of the state right before is possible by pressing the power-on/off-buttom of the computer-tower. After the awake, the user-password is requested to go on working with the computer in the state right before, if determined by the power-management of systemsettings; saved power: quit all 37 Watt.
- deep sleep - another kind of hibernation or similar to it, but the data is written onto the hard-drive resp. SSD. All internet connections (network manager) got closed after the awake in both last hibernation modes, so they have to build up again.

And... much happened: incredible 38 Gigabyte Traffic with our websites last month April without making ads: Computer age without aging, no platform without fundamental IT security, so be welcome on the excurs for IT-security from Gooken on Gooken.de as a significant contribute to the successful interplay of informatics and society!

Now you can resign from things, that the world does not need! So everything is already authorized on DVD mdk2004 - except some special software like Nasa-moon-watch perhaps. After waiting quit the same long time, hardware fulfills important criteria too.

Starting Situation


Whoever posseses a "(mirolike) suneater" (a computer), one theme can interest: security. "Earlier so-called cybercriminals immobilized foreign calculators by computer-viruses, today the data thieves strip of whole bank accounts (by credit-card-betrayal, cracking of chips, debit entries, emails like scams, skumming, hacking and phishing");, wrote the press even after the millennium change. Eyes Since George Orwell we discuss the phenomenon of the Big Brother as someone trying to find out our habits, in order to achieve the aims for his few interests groups. Can´t enumerate all this: Spied offices and toilettes, cams in banks, in railway-stations and airports, right in front of petrol stations and bank automats: The eyes and ears of the big brother seem to be everywhere. Worlds get handicraft and abused (by censoring not fitting facts, opinions and views) .Trains were getting late, delrailed, while planes, cars and ships crashed or sank. Power supply systems had their blackouts, user konterminated by elements from platines and therefore got irrediated by the normal use of hardware, see postings form newsgroups cited and linked on our linkside. Significant preparations against thunder-storms were not made. Prices for power supply drifted. Votings were not encountered right. Opinions got suppressed and manipulated by positionings within search engines and legitimating rules, in some cases their listings took more into effect than prepunishment registers of criminal courts, unmanned airoplanes threatened with shooting us, corruption escalated.

Once, in year 2003, SuSE Linux 7.3 appears including four printed out manuals: one reference, one for the programs, one for networks, but still the market share for Linux except for server reached less than 10 percent. Linux has got the right intellectual touch, many people do not like. The handbooks interest a lot, but did not explain, how to create and manage a really secure computer system. Upon the base of a software surface covering distirbution like mdv-Linux from year 2010 we dare to say it managed us to do so by this excurs resp. report. This mdv also makes it possibles to emulate other popular operating systems on the platform of powersaving but ergonomic fast working hardware. Even diversified games for this distribution understand to convice us very much, many of them are running upon OpenGL and SDL. Nice to notice, and what is interesting most: They and all Software of this distribution do really, really run! See how risky other operating systems had been constituted, for not many people did believe us before it all happened with them:

Focus:de, February 2015: "Also unreal e-mails from betrayer and cyber-criminals are well known, it is a matter of a few seconds we click on such emails to make it happen. As soon as such email do open, we forbode this email not to be sent only to us. Dangerous viruses can take into effect (prevention: UNIX-Linux filesystems, spam-filter with a first virus-scanner like spamassassin and clamav prevent the propagation of viruses). The second next mistake is to open the atteachments and links too. Cyper-Criminals can rob millons of email-addresses by data-robbery. Inourdays plenty of time is spent online to be reachable so that we can get abused. The problem to protect the increasing amount of data becomes day by day more difficult Fingerprints are left in emails, by online-shopping (registrations, tracking-scripts), whats-app-news and more."

niue-muenzen Viruses, trojans, worms, bots: 40 percent of the computers are "zombies", Focus, 02.03.2014
The amout is alarming: 40 percent of all PC in Germany are infectedt and can be remoted by cybercriminals. Once set free, malware opens the backdoorr for more abuse. How to protect: The amount of infected computer increased last year up to 40 percent, confirmed the Anti-Botnet-Support-Center of the internet community Eco. More than 220.000 computer with old browser-versions have been scanned. This forwards to trojans and viruses. In many cases, the first varmint opens the door for more infecitons, describes the community. "Zombie-computers" could be remoted. Infected so colled "zombie-computers" could be remoted by cybercriminals. "Their systems are engaged as part of networks, that are abused by criminals for abuse like spam-transfer or denial-of-service-attacks, leading to die immense harms", described Markus Schaffrin, the ECO security expert. The result is alarming, said Eco. For more security, a well configured firewall and anti-virus-scanner remained essential. Focus explains, how you can find the best virus-scanner (we, Gooken, think it´s clamav. This open sourced scanner is always checked well, as he can be installed on all popular operating systems).


Linux does not work? How you can solve every driver-problem, PC-WELT.de, 04.07.2017
Linux runs on quit all PC and notebooks, but not each hardware periphery is recognized automatically. For new devices some problems are possible.
[...] Linux-distributions provide a wide hardware support and run on quit all PC. With SATA, ethernet, graphic-card and monitor as much as mouse and keyboard there are no problems at all awaiting. Those basic functions should be warranted each case.
Elder printer, scanner or tv-cards without driver for Windows 7, 8 or 10 can often be reused for Linux, but for very new or seldom devices sometimes there is no support pregiven. Before the installation tests for hardware-compatibility should be made.
Report in german language onle: https://www.pcwelt.de/ratgeber/So-bringen-Sie-Linux-trotz-Probleme-zum-Laufen-9789269.html

New nvidia-driver cause system-breakdowns, PCWelt.de, 10.03.2016
Nvidia´s new graphic card driver 364.47 cause serious hard problems for some PC-user. Concered user can do the following: http://www.pcwelt.de/news/Neue-Nvidia-Treiber-364.47-sorgen-fuer-Abstuerze-9943889.html .

Even a supergau in Fukoshima took place! Even have a look onto the section for "News&Links" from our left menu! If we follow such reports, we remind of emergancies, catastrophes and incalculatable payments. Since computer-technique seems to be part in almost everything (Na/ST), it and the companies behind seem to be quit liable for all, in person also see our linkside....! One question seems to be central:

Do we reign computers, or do computer reign us?


Computing begins, where it ends


Green LED vs. red LED: "Yes, I think I´am OK vs. yes, I think I am (the) stupid idiot (while our own system signs: "..." with one very short blinking point more or less periodically after the other one in around two up to ten seconds, asking the user back for "any complaints?", reminding him for "more activity, please..." and saying "I tell you...(heartbeats)"), what shall not confound with the three LED at the top of the num-block the keyboard saying to the user "Hi!" and "bye" resp. "out of order" (kernel-panic). All or something, that of course is not essential anymore in the case of touch-screens, and that´s the naked truth. The own computer should be no disadvantage and not stand for riscs (red LED) without loosing his advantages and opportunites (green LED). Computer systems should not think about themselves, that they are stupid for all, by making themselves work with capacities reducing and control wresting self-checks for virus-scans, bot-processes, bugs (program-errors), processes of trojans and self-maintenances as the cause of their technical unjustifiance. This is almost self-signaled by the blinking orange or red LED of the computer-tower. A solution far from MS Windows is found since year 2004 resp. 2010: Gooken does present even more a (classical, quit everlasting) computer-system on lowest costs with quit all software almost in top-graphic running as secure and stable without much blinking of the red LED as computer can! In spite of red marked text and our linksite you become a witness of the eight wonder of the world named "the almost 100% security bewaring computer running on lowest cost, where there is quit no software of rubriques of all kind missing", even not of games and TOP-games! Please do not forget to read our linksites from the left menu section "News&Links" These linksites contribute to the right understanding of the work with the computer and, although we are going to provide the promised security by this excurs, many remaining threatenings from the outside are still awaiting! For security studies for MS Windows, please have a look upon News&Links too.

Very past installation phase, a system almost free from security-leaks, maintenance and administration will be provided. The only thing one has to do from time to time is, to install some actual updates.

MS Windows "Replacement": Windows-Emulation by virtualbox, VM, qemu, xen, mingw and wine (mdv2010), same for MAC-OSX by BasiliskII and Amiga by uae and so on


Through wine, winecfg and at last playonlinux of mdv2010 emulation of software running on MS Windows (98, XP, 7, ... ) including MSOffice and Internet Explorer 6 up to actually 8 is not the problem anymore (although in our opinion with the well-equipped mdv2010 we need much or anything of it...). More than 100 Top-Games: see our data sheed.

Frontend playonlinux presents software, that can be installed groupwise like accessories, development, education, games, graphics, internet, entertainment, office and others and offers the following software in detail beneath many other one to install:
MS Office, MS Word Viewer, Intenet Explorer, 6 up to (actually) 8, Google Picasa, WowApp, 7-Zip, Ultimateencoder, Amazon Kindle, Azuon, Cadstd Lite, PDU Spy, Photofiltre Studio X, Dreamweaver, Codeblocks, Flashplayer, Flash 8, Flash MX, Notepad++, Graph, Teach2000, Simultit, Rocket Reader, Huckel 95, Adobe Photoshop, Fireworks8, Microsoft Paint and more, more than hundred games see our data sheed!

playonlinux installs different Wine32 and Wine64 depending on the programms chosen.

It also offers installation of any setup.exe regardless from the download out of the internet, that means from harddrive or CD/DVD too.

Installation
Wine: How to use the Windows-Replacement in Linux, PCWelt.de, 08.11.2015
Wine is a a clone of the Windows-API with many windows-programs to run under Linux too. Whenever functioning, it is in opposite to virtualization (virtualbox, Xen, qemu, ... ) the more direct way: http://www.pcwelt.de/ratgeber/Wine-So-nutzen-Sie-Wine-als-Windows-Ersatz-9790018.html, zahlreiche Top-Games aus playonlinux siehe unter Datenblatt.

PCWelt also presents security tipps for the user, PCWelt.de, 03.08.2015 and 22.08.2015

Create your VPN (private internet tunnel)
Most public WLAN-net are - as already told by name - public. Hacker, equipped even with only a few programs, can "catch" the traffiic from the next area. Although it is useful to provide more security by calling websites per https in the address-line of a browser, it is not the best solution. A private network (VPN) should be used, in order to provide an encrypted data-tunnel between your device and the internet. There do exist versions of such programs for free like "Hide My Ass", "Hotspot Shield" and "Tunnel Bear"- a payed VPN belongs to the better alternatives (or use the real secure freeswan, strongswan, openvpn or openswan). The versions to pay like Hide My Ass cost 40 € the year for example and protectis not only your PCs but also your mobile devices.

libreswan (rpm): "Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up Libreswan. To build KLIPS, see the kmod-libreswan.spec file. Libreswan also supports IKEv2 (RFC4309) and Secure Labeling. Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04"


suneater_miro You can use a virtual private network-client for free like OpenVPN (or Freeswan, Anm., die Red.), in order to connect to a VPN-service, where you have an account, so that you can visit the internet through an encrypted access. This is a good reason for VPN, but not the only one. Maybe you do not want, that your internet provider surveys all your online-activities at home. Normally, if you go online, the provider can survey all of your activities. By VPN your internet service provider can only see the connection to the VPN. Besides from this VPN help you to bypass regional restrictions for websides like Amazon, Hulu, Netflix and BBC iPlayer. One example for a VPN-provider is the company IPredator from Schweden offering VPN-services for eight Dollar the month, keeping its connection to the famous torrent-tracking-site "The Pirate Bay". IPredator promises not store any traffic data of their user. You can also use PGP-encryption, if you contact IPredator-support per mail. One more popular VPN-provider is Private Internet Access, that promises not to protocol traffice data too. PIA costs 7 Dollar per month or 40 Dollar the whole year. PIA also helps to bypass reginal blocks in the USA, Canada, Great Britain and several countdries in continental europe. Although VPN protects your privacy, provider of websites like Facebook and Google can protocol your internet-activites. The use of your anonymous-private-mode of your browser is not caring for complete anonymity, but it keeps websites from reading out your cookies and the histroy of your browser, in order to get more to know about you. We are going to see, what we can do, comment by Gooken.

Howto configure and establish VPN-connections can be read here (in german language): http://pdf.zeit.de/digital/datenschutz/2013-01/serie-mein-digitaler-schutzschild-vpn-ipredator.pdf .

The risk remains by the VPN-provider, as he knows the IP-address - so you have to convice him. This is the central disadvantage in opposite to Tor.

I2P is a decentral network connecting users, in order to make an point-to-point- (end to end-) encryption possible. It is still under development and provides an experimental additon to other methods for encryption or anonymization.


Tor is a connection-based low-latency anonymous communication system. This package provides the "tor" program, which serves as both a client and a relay node. Scripts will automatically create a "toruser" user and group, and set tor up to run as a daemon when the system is rebooted. Applications connect to the local Tor proxy using the SOCKS protocol. The local proxy chooses a path through a set of relays, in which each relay knows its predecessor and successor, but no others. Traffic flowing down the circuit is unwrapped by a symmetric key at each relay, which reveals the downstream relay. Warnings: Tor does no protocol cleaning. That means there is a danger that application protocols and associated programs can be induced to reveal information about the initiator. Tor depends on Privoxy and similar protocol cleaners to solve this problem. This is alpha code, and is even more likely than released code to have anonymity-spoiling bugs. The present network is very small -- this further reduces the strength of the anonymity provided. Tor is not presently suitable for high-stakes anonymity., rpmfind.net about tor, 18.01.2016

Another example, why to resign from TOR is named by PCWelt.de:

"In November last year the anonymizing-network Tor started his first spend campaign. With overwhelming success. Exact 205.874 US-Dollar (around 190.262 Euro) from 5265 different givers are taken by the project Tor during six weeks. With this amount of money, the Tor project is going to reduce the dependencies from the US-government, financing Tor of about 80 up to 90 percent. As the US security agencies try to infiltrate the tor-network, it makes sense Tor making more independent from USA. Alleged the US-policei FBI spent one million dollar to an explorer of the Carnegie Mellon University, in order to help the FBI, to intrude into the anonymizing-network. The NSA is going to crack TOR too.", http://www.pcwelt.de/news/Erfolgreiche-Spendenkampagne-fuer-Anonymisierungs-Tool-Tor-9916676.html

Tor - no absolute security, heise.de, 30.08.2016
The anonymizing network like Tor left security leaks and access points: if many Tor-nodes gets observed, conclusions to the location as much as identity of a user can be drawn - and not only by institutes by law than NSA. There are some tor-based virusses and malware on their way - probably seldom, but really existant, http://www.heise.de/download/product/tor-browser-40042 .

OK Protect the router
The most important connection to the internet for the everyday life is your router at home for the use of online banking and so on, where sensible data is transferred. So do not use ever the same passwords, especially not that of the router. For most secure home connection always use WPA2-encryption and random generated login-passwords out of at least 30 characters, that should be kept within a password-manager. One more report about router is following below at the end of step 1 of this excurs.

OK Resign from Java (whenever possible)
Oracle´s Java does not belong to the required software for PC-user for our relief. Java is full of lacks in security. Security experts postulate from Oracle the complete overworking of Java. January 2013 they advised all PC-user to deactivate Java as possible, that means except the cases where Java is needed. One should wholehearted attempt to delete Java from system completely and at once! This can be done for MS Windows by the system control. Nevertheless, if a webside requires Java, the recommend of installing actual Java software is not missing.

OK Be careful with the password-recovery of mail accounts
Make hacker the life as hard as possible. Use different mail-accounts with different passwords kept in a password manager with hard to hack address names like "myrec0v3ry_ZMf43yQKGA@outlook.com". Then hacker can not hack in an easy way and especially not all passwords at once.

OK Do not use only antivirus-software but also anti-malware-scanner
Virus scanner alone do not cover and remove all malware. It is a good idea to use malware-scanner too.

OK Screen the webcam Times were known, malware sended word-documents all over to email-contacts. This can get even more and more worse, if computers are suited with webcams and microphones. Put adhensive tapes, maybe with paper between, over the lense of the webcam. Whenever the webcam is needed by the user, he just has to deduct it.

Databasis (SQL)


OK Password-protection for MySQL after the login into MySQL by starting the daemon mysqld and entering "mysql -h -localhost -u username -p" in order to type into beloginging terminal:

grant usage on *.* to ´username´ identified by ´password-to-set´;


This method is advised as secure. Alternatively, but for some protocollings not such secure:

SET PASSWORD FOR ´username´ = PASSWORD(´password-to-set´);


The (own) computer should escape from the dark empire, here named by Miro´s "Suneater", but how?

Technical failures cause from human ones. "The way is the target", means their leader Konfuzius. Gooken itself is a meeting place for the scientific based IT-Security since computer might run secure. Its excursion is introducing the security-concept without the accumulation of any costs for consultation, training, conversion and licenses. It does so by realizing a secure and standard company management database and an everlasting as possible, standard IT-Security-concept for your computer-system through all of companies (fields, mandators, master, departments, standard-processes, editor, printouts, diagrams, security) intergrating Mycompanies company management in PHP-MySQL standard with intergratable PHP-FCKEditor for text-fields, also all ready for WEB-2.0-and 3.0-technology, the determination of security levels, computer-manual, (security-)commands, checklist and prototypes in order to resign from scans from hard-disks as much as from the amount of essential updates and upgrades to none (!) at all as much as possible, a deep look into the work resp. code of search-engines like Gooken, "News&Links" especially for the friends of MS Windows to carry on and more. In comparison with other projects, those of Gooken do not only consist of an everlasting character, but also find an end to the very beginning! the_wall_by_christo

Theory


All this direct help online is offered to beware stable positions right before law and opposite fellow men. It is is realized by adjustments and downloads consisting of SQL through company. management, pdf like the computer-manual with checklist and surface covering security-software for prevention, diagnosis and repair to solve the survival-request of computer-age with its central rating for computers completely concretisizing the book "Security in Information Technology" second edition by Prof. Dr. Kersten, Oldenbourg-Hochschulverlag from 1995. Therefore Gooken tries to contribute to the calm, troublefree enterprise! Quit all needs and security problems of the computer can be solved! Gooken offers

Introduction-"basics" to reach the highes IT-security-level" as possible, and a pdf containing also next step 2 to reach an enhanced IT-security-level, pdf system-(security-)commands and pdf checklist,



Anonymizing Proxyserver


surfing with the anonymizing base64-, rotate-13 URL- and SSL-encrypting Proxy and den base64, rotate13, nonssl Proxy for free (with restricted capacity for dowloads) programmed by Abdullah Arif. In both cases, for payment as much as for free, IP are not only exchanged, but also all kind of scripts including tracking-scripts beneath cookies get blocked, by choosing the option "remove scripts". This is important to avoid methods like Canvas Fingerprinting, details see our "online check". If there is no access for our free proxy, try https://www.vtunnel.com.

Webdesign- and programming in HTML, JavaScript, PHP, PHP-MySQL and MySQL

Search engines


suneater_miro Many search-engines tell us, that we can search secure, because they resign from storing the IP of their user. But since Edward Snowden june 2013 the fact is, that many search engines host on server within the USA, even those recommended by so called privacy protectors. Such search-engines have to refer to the Patriot Act and US-law and therefore have to serve the full access of US-authorities. So they can not offer protected privacy (even not, if they try. source: metager, year 2014).

German government and the EU-commission, Tagesschau, 21.05.2014: Mundt supports the demands of Bundeswirtschaftsminister Sigmar Gabriel postulating a hard reglementation and the annihilation of the Google concern. Paris also postulates for harder rules. The minister and his french administration colleague Arnaud Montebourg postulted in a letter to sharpen the suggested conditions for Google. Indeed the ministre from Berlin and Paris do not find the sympathy of the EU-competition commissioner Joaquin Almunia signed by scepsis against the annihilation of Google. But all with Google is by far not obivious. It can not be exclude the commission following all the compaints against Google in further processes by law, explained Almunia at the same time.


trustrank-100 Instead the platform independent Gooken is a self-learning search-engine with SSL-support. Gooken was developed for answering still unanswered questions in conjunction with IT-security past our excurs with downloads as much as for any purpose. You are searching completely anonymously, no click-registration by meta queried searchengines! Actually, no data are stored, neither your IP nor the user-agent-specification of your browser! Gooken resigns from tracking-scripts, participating in a web-advertisement net as much as from server-farms! You can open all websites anonymously.

Open Website Reputation: Gooken 100/100

downloads making Linux, what it proclaims to be: free from any intrusions, without any hacker and any trojan and therefore secure independent from most distribution and version: Linfw3 - the unbeatable fortress with protection against insecure browser-plugins - the comfortable end of all hacker and trojan (for single user, client, server) - besides Klean, Rename-Manager, the (LAN-supporting, platform-independent) PHP-MySQL-library Bibliomaster, platform-independent PHP-MySQL company-management-database Mycompanies and

a filterlist for the adblocker of the konqueror and other adblocker from the Easylist and during the time collected entries

Trials against small money for the attempt to improve your online-reputation within the internet on price at agreement

Fedora and CentOS (resp. ALT Linux) Updates, Linux for Security, and Top Seven by Susan Linton - Jan. 17, 2014Comments (0)
Related Blog Posts
Microsoft Linux, Fedora 23 Beta a GO
Magical Mageia Review, Mint 17.3 Named Rosa
LinuxToday was another interesting day in the newfeeds, so much so I can܌t pick just one. There were several headlines focusing on Fedora or CentOS (resp. ALT Linux) today. Linux.com has posted a top seven distro list for 2014 and Jack Wallen says CESG recommends Linux for security. Tha´´s not all either. First up today, Jack Wallen over at TechRepublic.com published an article discussing the results of the United Kingdom´s Communications-Electronics Security Group (CESG) operating system security tests. The tests consisted of 12 categories of security focus such as Disk Encryption, Authentication, and Platform Integrity and Sandboxing. As if there was any question, Linux proved the most secure of all the desktop and mobile systems tested. So, be sure to check out Wallen´s article for more detail and relevant links.

Operating Systems and covering well designed Software ready to start: after all those computer systems really one to work and game with (stable)!


mdv on USB-memory-stick: Opensource from (bootable) DVD, (bootable) USB (-memory-stick and memory-cards), from DVD onto SSD and HDD, so take the - as we think - one time chance to avoid in future not only computer-techique but also all operating systems. This can be performed by the shell-script mandriva-seed, unetbootin and other programs.:

mdv on DVD: from mdv-final for quit all devices - comuter-final, computing has right begun, where it ended: Opensource-2010-FINAL, secure, easy to handle, but most comfortable Linux fullfillingFSH 2.3 (Filesystem Hierarchy Standard) and ISO-standard-LSB 4.0, with 65 GB (15 DVD) + Fedore rpm + unlimited software from see our data-sheed (left menu) also recommended by prism.break.org, stable and secure from DVD onto your SSD (and/or harddrive) with lifetime installation-support, fc-SuSE-mdv: We also offer complex as much as the mdv2010 already updated, stable and secure Linux-distribution powerpack+final version mdv2010.0 from year 2010 (x86_64, 64-bit, optionally MAC based ("NSA-")Tomoyo-Linux by NTT DATA Corporation, Japan) with driver-comfortable kernel 2.6.31 (2.6-final resp. Knoppix 2010 like mdv-2010-Kernel 2.6.33-7-2, 2.6.39 (with allow-discards-support for FSE and FDE and patches up to actual date from see in our section for updates) or kernel-4.20.13 (pclos/PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos), kernel-rsbac (hardened), RFC-rules bewaring methods for encryption, Firefox 3.6.17 you can update to an actual version like Firefox ESR, patched bash, LUKS/dm-crypt (cryptsetup) with most driver for desktop-computer, all postscript-based printer, PPD from manufacturer or diver-CD, alternatively see compatibilty-list and foomatic-, PPD- and cups-filter-driver and cupsddk (cups driver development kit) from these DVD or Linuxfoundation, openprinting.org and powerpack+ from year 2007 (i586, 32-bit), many graphic-card-drivers including IPG-driver intel, IGP-openchrome and IGP-unichrome3D, ati-, nvidia- and the universal VESA-standard-graphiccard-driver and other ones; each version out of one installation-DVD (1) for the binary-packages (rpm), one DVD for more mdv-2010-software-packages, most already known from mdk10.1 (2004) (2) including Debian Linux paket-manager (apt, dpkg, alien), debbuild (el6), debmirror (el6) more drivers and software listed in the data sheed below and one DVD for the belonging (updated) sourcecode-packages (3): 3 DVD Linux total, stable and secure mdv2010.0-final (x86_64) or mdv2007-powerpack+(i586), 3 × 4,4 GB comfortable, most stable and secure Linux total, free from shipping costs, for 20 € 24h-livetime-support from fr2.rpmfind.net and sources or installation-DVD mdv2010.0 from http://linuxisos.de for 8 € (2013), or

mdv from SSD: 65 GB mdv-software (15 DVD for mdv2010 out of mdv2010.0, updates, mdv2010.1, mdv2010.2 including all GLSA-updates except KDE and 2014 patched bash and openSSL 1.0.2, Firefox ESR ) extract see data sheed plus source-rpm from your sent-in at least 120GB sized SSD, FSE (FDE) of all partitions: root (around 65 GB) , (by keyfile from the root-partition automounted) home (around 25 GB), SWAP (around 3GB) and one more partition (around 30GB), 24h-livetime-support from fr2.rpmfind.net or

After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".

mdv out of the internet: mdv2010-packages for free from: http://fr2.rpmfind.net/linux/RPM/mandriva/2010.0/x86_64/index.html, http://fr2.rpmfind.net/linux/RPM/mandriva/2010.1/x86_64/index.html and, http://fr2.rpmfind.net/linux/RPM/mandriva/2010.2/x86_64/index.html 24h-livetime-support from fr2.rpmfind.net and sources, plus quit all Linux-tarballs,

kernel-4.20.13 (PC-LinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos) resp. kernel-desktop-2.6.39 (mdv-2011-standard-kernel), kernel-server-2.6.39 (standard-kernel with patches up to now, year 2016, from see our section for updates), kernel-linus-2.6.31 (original kernel from Linus Tovalds), kernel-rsbac (hardened kernel), kernel-uml (protected usermode-kernel), xen-Kernel (XEN-virtual machines), lirc-kernel (infrared-driver), kernel-tmb (laptop), kqemu-kernel (kquemu-driver for the standard-kernel), vpnclient-kernel (vpnc-driver), fglrx-kernel (nvidia-driver), em8300-kernel, broadcom-wl-kernel, hfsmodem-kernel, madwifi-kernel (WLAN-driver), libafs-kernel, lzma-kernel, kernel-rt (SMP-onboard-Realttek/Atheros-LAN-BIOS-Chip with an activatable LAN-ROM), fusion-kernel (fusion-driver), kernel-netbook, kernel-openvz (SMP: multiprocessor-kernel), libafs-kernel, kernel-kerrighed (kerrighed-Support), obencbm-kernel, psb-kernel, actuator-kernel (actuator-driver), lzma-kernel (lzma-driver), m560x-kernel, broadcom-wl-kernel, nvidia-current-kernel, nvidia96xx-kernel, nvidia173-kernel, netfilter-rtsp-kernel, fortune-kernel, vhba-kernel (vhba-driver), em8300-kernel, r5u870-kernel, r5u870-kernel-laptop, squashfs-lzma-kernel, vboxadditions-kernel, virtualbox-kernel, actual Kernel-3.X.X (from fr2.rpmfind.net or kernel.org), ...

Notice, that in order to keep transparency and other aspects, the system boot does not in main follow the kernel with its many firmware, but the runlevel-init-scripts out of /etc/rc.runlevel0-6 out of tarball resp. rpm named initscripts and util-linux, almost steered by the script named init.

uml-kernel: User-Mode-Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions and poke around in the internals of Linux, all without risking your main Linux setup. User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software; you need an uml-kernel and an adequate root-fs-filesystem of about 1GB from http://uml.devloop.org.uk/; start: #./smb-kernel-name ubda=name-of-root_fs rw mem=256m; stop: #halt.

The Filesystem Hierarchy Standard (FHS) defines the directory structure and directory contents in Unix and Unix-like operating systems, maintained by the Linux Foundation. The current version is 2.3, announced on 29 January 2004.[1]

Only some Linux-distributions fullfill the Filesystem Hierarchy Standard and LSB standard. The Linux Standard Base (LSB) itself is a joint project by several Linux distributions under the organizational structure of the Linux Foundation to standardize the software system structure, including the filesystem hierarchy used in the GNU/Linux operating system. The LSB is based on the POSIX specification, the Single UNIX Specification, and several other open standards, but extends them in certain areas. According to the LSB, the goal of the LSB is to develop and promote a set of open standards that will increase compatibility among Linux distributions and enable software applications to run on any compliant system even in binary form. In addition, the LSB will help coordinate efforts to recruit software vendors to port and write products for Linux Operating Systems. The LSB is registered as an official ISO standard. Linux Standard Base aims to make binaries portable.

mdv2010.0, LSB-version by after typing in the command

lsb_release -a

LSB Version: lsb-4.0-64...
Distributor ID: MandrivaLinux
Description: Mandriva Linux 2010.2
Release: 2010.2
Codename: Adelie (Napoleon, annotation by the red.)

Intro


With mdv2010 software is not only covering, it also can be displayed advantageous and interesting:

Window-administration (die hält, was sie verspricht): always-in-foreground, always-in-background, remember, force of positioning and seizing function and so on, fringes, work surface assignment, window-heaver, menü for behaviors, screen-edges, window-effects, changes of windows, actions, activation, spezific settings, ...

Effects for the desktop: kiba-dock, 3D-window-galery, 3D-windows-stack, fade in and out for the system-login and -logout, cube, preview (of minimized windows), showcase with miniaturized images for opened windows, translucency, transparency, dimming, zoom, auto-reticle for centering, gliding, magnifier, shadow, wonderlamp (during the maximizment of minimized windows), wave, ... on the base of composite: spotlighter (justable desktop-spotlight), ardesia (desktop-sketching), curtain (curtain to move on the desktop from one side to the other)...; like plasmoids without markable loss of performance for active processes of mdv2010.

desktop_effects




Key-strokes for KDE-desktop-effects: STRG+F9 or mouse pointer into upper left corner: preview with mini-pictures of opened windows, ALT+TAB: window change, STRG+ALT+Scrollrad: window-transparency, STRG+Arrows: cube-rotation of the workplaces

Plasmoids resp. plasma (applets) for the desktop and the controlbar (please notice, that in differnence to mdv2010-rpm-packages actually not all of them do function, so we have to wait, and that some of them get their information

Desktop right upper corner with halfmoon-plasmoid: toolbox out of add control-line, configuraiton of key shortcuts, adjustment for the active-directory-perspective, enlargement/declinement of fonts and symbols and unlocking of the (plasmoid-)miniprograms

mdv-plasmoids


to present out of the internet): Daisy (free program choice within rings or bars), Lancelot (desktop-menu), timezones and weather, birthday-reminder, calculator, widget-dashboard, system-monitoring, multiple rowed fast-loader (more-rowed compressing collector for icons with optional mini-pull-down-(up-)menu), unit-conversion, LCD-weather-station, weather forecast, wordclock with timezones, accu-check, image frame, comic, egg-clock, jumping ball, colorchoosing stick, calculator, moon phases, zoom, social desktop, ToDo-lists, remember the milk, system-monitor, guitar-tuner, image-preview, widget-dashboard, birthday-reminder, flickr, language-translator, sun-system, fishtank, DVB-signal-meter, newsticker, Mountoid, Bundesliga, Facebook, Flickr, bsun (wandernde Sonne), FrustML resp. (Mensch-Ärger-Dich-Nicht), Fancy Tasks (quickstarter similar to cairo-dock), Koala (similar to Tamagocchi), Astrocalendar, Plasmio (SMS), daisy (desktop-icons in a cricle), 15 stones,Tomatoid, egg-clock, spell verification, blackboard, WorkContext (nepomuk) and much more ...

Gadgets, Apps-Installer, ...


gai-bgswitchertvib4leds1leds2pager1sun1va5horizontalverticallogichargeothellogi8k_docksherman1sherman2verticalgwlanbc1bc2album1album2connectedpal1pal2pal3fortune
Gai, The General Applet Interface Library von http://fr2.rpmfind.net oder http://gai.sourceforge.net : gai-pal, gai-album, gai-bgswitcher, gai-blobs, gai-clock, gai-mailcounter, gai-nebulus, gai-sun, gai-othello, gai-pager, gai-terrain, gai-visual-audio, gi8k, gwlan, vpn, bluecombo, FishTime, shermans-aquarium, TV in a box (tvib), usermon, ...



Cairo-Dock Cairo-Dock from http://fr2.rpmfind.net or http://www.glx-dock.org/

OKkrunner: KDE Semantic desktop search per singe mouseclick on the base of gingko resp. akonadi and nepomuk and so on (all upon MySQL) by direct text-search like Cortana for MS Windows, ideal per mouseclick from the taskline or out of the KDE-start-menu, in order to search for names, database entries of all kind, textfiles, audios, images, videos, e-mail, news (Usenet), command execution, date and time, desktop-sessions (user exchange), kopete-contacts, contacts from kontact, webbrowser-history, konqueror-sessions, bookmarks (to find and envoke), units-converter, media playing, nepomuk (semantic search), locations (open files and addresses, ginkgo resp. semantic view during the saving of documents and other files), (opened and closed) windows and work areas (and their includes), plasma-desktop (interaction with the plasma-shell), TechBase (search within the KDE-TechBase), Wikipedia (searching in Wikipedia), Wikitravel (searching in Wikitravel), dictionary, recent documents, devices, kate-sessions, kget (links to download-manager kget), konsole-sessions, language translator, special chars (creates special chars) and so on: krunner (el6, ..., mdv) (or press ALT+F2)

rpm-description: "Ginkgo (KDE (mdv2010.2, mga, rosa) is a graphical front-end for managing data semantically. Ginkgo lets you create and explore links between your personal data such as e-mails, contacts, files, Web pages. It harnesses the Nepomuk framework."

Start ginkgo (KDE (mdv, mga)): Click upon a directory or file ->, context menu -> "Annotate" (context menu of KDE (mdv2010.2) -> Ginkgo: data record with different text fields
For KDE (el6, OpenSuSE-11.2 4.4.4, 4.4.11) ginkgo does not function, but clicking upon "semantic view" during the saving of documents and files is a good alternative, as it opens the same text-input-fields like ginkgo.

Now you might want to click onto the pliers symbol (settings) and modules, in order to deactivate Wikipedia, Wikitravel and the Google language translator.

[SOLVED by Gooken, 21.10.2016: drkonqi: One or more akonadi_resource do not work or cannot be found]
At first, lookout for akonadi (el6) installed (rpm -qi akonadi).
There are three rpm-packages full of akonadi_resources like ical, birthdays, kcal, knut, kolabproxy, localbookmarks, mbox, microblog, nntp, notes, vcard, vcarddir, nepomuktag, strigi, kabc, kcal and imap: akonadi-kde (mdv2010.2) and kdepim-runtime (el6) with kdepim-runtime-libs (el6).
Now enpack akonadi-kde (mdv2010.2) and copy the not working akonadi-resources, that can be found in rpm´s usr/bin/ to /usr/bin.
The other direction from kdepim-runtime (el6) to akonadi-kde (mdv2010.2) might be the correct one in some cases too.
If you want to start nepomuk-semantic-desktop-search (krunner):
1 eventually start the strigidaemon: /usr/bin/strigidaemon&
2 start desktopsearch-KDE-control-modul ( systemsettings or krunner:enter "nepomuk", in order to select it ) -> 3 select files to index / Dateiindizierung (Verzeichnisse auswählen) -> 4 activate both, nepomuk and strigi / Nepomuk-Semantik-Dienste und Strigi-Datei-Indexer zugleich aktivieren.
3 If the error message ( like "akonadi_ical_resource can not be executed successfully" ) still appears, start akonaditray and remove the belonging resource out of the resource-listing. Many resource can be removed, but maildis, maildir and mailtrans are always needed for kmail.

mdv-screenlets Desktop-Screenlets, image: GUI-Screenlet-administration with more than 100 screenlets additionaly downloadable ones and screenlet-daemon, screenlet in the fore- and background, scalable size, widget-attribute, more attributes like: growing flower ( to give some water from time to time), slideshow, pager, control (to add more screenlets), radio, meter, stocks, speech, sensors, ringssensors, ruler, convert, example of howto create a screenlet, copystack, clear weather von weather.com, ...

For more details see the data sheed from left menu.

"4.65 from 5 stars are the results of the average voting of a test from year 2014 for Mandriva based upon 204 meanings of customers from Erfahrungen.com investigates regulary such votings from all sources out of the internet, that are carefully read out by hand and stochastic methods."


Metisse Mandriva Metisse takes 3D to a New Level, http://cybernetnews.com/mandriva-metisse-linux-takes-3d-to-a-new-level/
This morning I´ve been watching videos of the Mandriva Metisse Linux that, in my opinion, puts some amazing 3D features at your fingertips. All of this XGL and 3D stuff is often shrugged off as merely being eye candy, but there are four video demonstrations that really show the usability that these features can really offer. I always thought that openSUSE Linux was always the furthest advanced version of Linux since they often implement the latest technology. However, Mandriva seems to be taking that crown away, and I have really considered switching to it as my primary version of Linux that I use. I like the look and feel of their operating system, and it is obvious that they are exploring new ways to make it the best it can be. Download Mandriva Metisse
Thanks for the tip Chris!



Convince yourself: The quit short and many years overworked errata-list of the comfortable mdv2010.0 can be directly obtained from Mandriva Errata 2010.0. Not all of the mentioned problems there have to be solved. With mdv2007 and mdv2010 the time has come to install many, if not all, packages of this distribution and maybe more tarballs at once on the same SSD resp. harddisc instead of, to go sure, a few ones only as generally recommended by institutes like BIS.

The address of Mandriva is not missing on mandriva´s homepage.

Mandriva S.A. (prev. Mandrake), Paris, St. Etienne, Frankreich, Tel...., email-addresses... ( founder: Gael Duval, 70 persons employed )


"Mandriva Linux the brainchild of Gael Duval, who wanted to focus on ease of use for new users. Duval became the co-founder of Mandrakesoft". Most packages origin in Fedora (but I knew a distribution of Fedora on DVD from the same year 2010 remaining quit scanty in comparison).


TrayAbb.: System tray (plasmoid) out of Krandr (screen resolution), kmix, Klipper, parcellite (additional configuration of klipper), NetworkManager, Stardict, USB-connections and encrypted partitions, kgpg, korganizer (calender and. dating planner with reminder function), printer-applet (printer jobs), nepomuk (semantic search), i - information for system messages by kwrited (actually not started, that means still without: knotes or tomboy, tvbrowser, ...), clock with date and calendar and the fast screenlock- and poweron-off-plasmoid; enfastened load of the tray after the deinstallation of interfering draksnapshot
"Mandriva Linux 2010 - perhaps The Best Linux Release All Year - Mandriva Linux 2010 was recently released and brings lots of nice improvements to an already nice system. Mandriva has a long and distinguished history in the Linux distribution arena. They began over a decade ago using Red Hat as their base and quickly became the preferred choice of the new Linux user. This release hopes to offer some amenities to appeal to users of newer trends in technology such as semantic desktop and netbook support. The Mandriva Linux installer sets the standard in user-friendly Linux installers. For those familiar with Mandriva this release brings some great improvements. The best two so far have been the increased stability and performance. Mandriva may have had a reputation for being a bit crashy in the past, but it appears those days are gone. In the several days since a fresh install only one application crash has occurred here, and this application is known to be unstable across distributions. This new-found stability comes with even better speed as well. Not only does Mandriva boot quicker (speedboot: kernel-parameter that can be set in /boot/grub/menu.lst or /etc/lilo.conf, speedboot=yes), but desktop performance has improved noticeably. Applications open and function faster, including the two heavyweights OpenOffice.org and Firefox. There is virtually no graphic artifacting and redraws are immediate. In addition, the 2010 graphics are just beautiful (source: http://www.makeuseof.com/tag/mandriva-linux-2010-perhaps-the-best-linux-release-all-year/).


mdv2010 enpossibles to choose any design and style out of desktop, appearance and desktop-design-details from systemsettings and gnome-control-center - self mades as much as pregiven ones. A screen covering bootsplash can appear right up at the beginning when powered on using grub or escpecially grub2. Color-schemes can be imported like the one from the CD of the monitor-manufacturer and there are a lot of emojis. Addtionally plasmoids and many ressources-saving 3D-deskop-effects can enrich the desktop. With compiz, the deskop-workplaces are ordered cube or metisse, while the desktop-background can be any wallpaper, slide-show, global map, weather map, mandelbrot and so on as much an image on the fly. Especially OpenGL, fast direct-rendering, SDL and pulseaudio guarant the video- and audio-processing. Mandriva´s center of gravity lies together with the up to year 2060 actualizing Scientifclinux (sl6, el6) alias CentOS 6.7 (el6) and 6.7 (el7) in the extended hardware-support of our days as much as in future.

Nevertheless keep an actual mirrored 1:1-backup on another media during the installation! After all the installation, mdv2010 is running fine.
Mandriva for free: Mandriva Lx 2014 1,6GB free download. Notice, that we would like to keep mdv2010. Therefore we did not test this Mandriva-distribution!

rpmdrake


Bootstrap of mdv2010 (creates) a basic Debian system: debootstrap is used to create a Debian base system from scratch without requiring the availability of alien, dpkg with debbuild and debmirror and/or apt. Notice, that in comparison with package manager of mdv2010, those off Debian 2010 like aptitude and synapitic do consist of errors, error-messages, breakdowns and bad overviews. It does this by downloading .deb files from a mirror site, and carefully unpacking them into a directory which can eventually be chrooted into (although we recommended to forbid this command). Debian is also supported by dpkg, apt, dselect, dash, ..., but with mdv2010 there seems to be not much Debian software missed, see http://fr2.rpmfind.net/linux/RPM/mandriva/2010.0/x86_64/. The coloured out listings of Mageia Cauldron - and Mandriva-rpm to select is most satisfying on http://fr2.rpmfind.net.

Mandriva-One (mdv2010.2-final, i586) direct bootable from your USB-memory-stick, USB 2.0 and higher. Harddrive and SSD do remain not only unused, but can also be used for installation.

Linux on your USB-memory-stick:

with a free partition of at least 2 GB or unformatted for 64- and 32-Bit-CPU, mdv-fundament, optional installation onto your harddrive resp. SSD, kernel 2.6.33, grub (with a optional md5-encrypted password-protection for each bootable dracut resp. kernel and memory check by memtest) and lilo (boot-manager, especially for kernel < 2.6.39), Firefox 3.6.13 including the security-addons we recommend and privoxy, KDE 4.4.5, Dolphin 4.4.5, Konqueror 4.4.5, Kontact with kmail and bogofilter, clamav, Korganizer, OpenOffice, packet-manager drakrpm, rpm, gurpmi and urpmi, drakconf, gparted/parted (for changing the partition-size even on USB-stick), software for repair, mplayer (i chose video: X11 (XImage/Shm) and audio: sdl SDLib audio output), mplayer-codecs, mplayer-codecs-extra, mplayerplugin, amarok, image viewer, gimp, gcc, gcc-c++, kwrite, fsck, rkhunter and chkrootkit, xskat, pysol, gnuchess and eboard with crafty (chess), shell-shock resident bash, bash-completion, konsole, xterm, many repair-functions and so on, mdv-i586-rpm-packages OR

of at least 6 GB free partition or unformatted 5.5GB more mdv2010-software from installation-DVD out of all rubrics like gparted, system-monitors, system-tools and more programs for repair, wine and qemu (emulation), k3b and brasero, xscanimage, xsane, tesseract, gocr, cups, xine, totem, flphoto, gtkam, tvtime, zapping, dvbtune, jikes, kino, audacity, supertux, toppler, rocksndiamonds, ....

both free from porto the way back to you. Therefore you just have to put your USB-stick and 10€ protection-fee into an envelope to send it to our address, see impressum. Before your order this, please test your BIOS, if it supports the booting with USB-storage-media (BIOS-boot-sequence and/or keys to determine the boot-sequence like F8), username: user and root, password: mandrivaone.

Reader discussion on netzpolitik.org, Opensource disconnect vs. proprietary Ghostery
chromax 29. JUN 2015 @ 20:42
Where do you know, if OpenSource-code refers to the compiled one? Still missing security…
Antworten
CrX 29. JUN 2015 @ 22:06
This question is of academic nature. Practitioner interest in the verficiation (indentically) of executable files and source code.
Therefore oneself compiles the Open-Source, if confident with it.
Antworten
skoam 24. SEP 2015 @ 10:09

This is immer the right question and an answer does already exist: Open Source can be compiled, in order to compare the build with the receipt executbale binary code. If the hash-sums (md5sum/shasum/file sizes) do not agree (that means differing), the executable code deals with code not listed by its source.

Why UNIX/Linux? Because I know it is opensource and the kind of its (almost german) programmers behind (book from Prof. Kersten and books from some other authors).
It always must be caviar? Tell us about any more secure distribution ever!

Gentoo Linux 12.1 2012 Live-DVD (x86_64 for 32 and 64 bit- and AMD64 forr 64 Bit-CPU) from Gentoo.org, burnt 3,3 GiB ISO. The so called meta-operating-system Gentoo is recommended by prism-break.org. It is bootable from DVD as much as installabe onto SSD/HDD by open-source-packages to compile in. You can also order already DVD-burnt Gentoo 12.1 AMD64 from us free from postage-fees for 10 €

Smartphones


In comparison with IPhone 6: This smartphone can something like no other one, Focus, 01.11.2014
For 12 US-Dollar only, it rivals with Apple or Samsung - with uncommon features. "Smartphone-the drug is real like everywhere. This handy does not pig up your dates, does not irritate you during concerts, does not disturb you in the cinema and cleans up the passways. The solutiion is found. With this promise, a user names quot;The NoPhone Team" of the Crowdfunding-platform Kickstarter his project. It is a handy like no other one and can do like no smartphone can. Namely... nothing. Perfect for the pockets of the trousers: its wireless design made of flexible plastic feels cool and real. "Just pull it out and hold it." The most signifcatn features are named by the manufacturers: no accu, no nerved updates, splinter-free, water-proofed. This project has it success: the No-Phone-Team wanted to collect 5.000 Dollar but accounted 18.000. With this phone, that can neither phone nor write SMS nor surf in the internet, should cost twelf Dollar. There is another "NoPhone"-version with selfie-function. This model has a mirror in its display and is distributed in the words: "Show your friends your newest selfie, if they stand directly behind you."

We do not believe much in honesty of the other ones in all matters: In regard to SAR-values, cases like Macolini and the feel of the "slap in the face" (probably metastasis) on the side of the handy taken from our section for News&Links and other cases, where magnetic influence was felt by second persons in the circumcirlce of more than three meters from the handy phoning, Gooken dissuades from all kind of wireless (mobile) phones except emergencies!

Two cameras, several microphones, a GPS-modulel and oodles private user data: smartphones are the perfect supervisory devices
Security export leaks out: Your smartphone can spy out - although you powered off everytjhing
, STERN.de, 08.02.2018
Über GPS und Co. können uns Smartphones permanent überwachen. Zum Glück kann man die Funktionen aber abschalten. Ein Forscher erklärt nun, wie man diese Sicherheitsmaßnahmen trotzdem aushebelt - und warum das kaum zu verhindern ist.
Zwei Kameras, mehrere Mikrofone, ein GPS-Modul und Unmengen private Daten der Nutzer: Smartphones sind die perfekten Überwachungsgeräte.
https://www.stern.de/digital/smartphones/so-kann-ihr-smartphone-sie-ausspionieren---obwohl-sie-alles-abgeschaltet-haben-7855612.html
https://www.stern.de/digital/computer/erpressungs-trojanern--so-schuetzen-sie-sich-vor-ransomware-6725356.html
https://www.stern.de/digital/online/datenraub--mit-diesen-7-tipps-schuetzen-sie-sich-davor-8521708.html
https://www.stern.de/tv/datenhack--warum-wurde-es-dem-taeter-so-leicht-gemacht-und-wie-kann-man-sich-schuetzen--8521650.html
https://www.stern.de/digital/smartphones/so-kann-ihr-smartphone-sie-ausspionieren---obwohl-sie-alles-abgeschaltet-haben-7855612.html
https://www.stern.de/digital/online/der-mann--der-uns-schwierige-passwoerter-einbrockte--bereut-seine-entscheidung-7577534.html
https://www.stern.de/digital/computer/erpressungs-trojanern--so-schuetzen-sie-sich-vor-ransomware-6725356.html
https://www.stern.de/digital/online/iphone-privatsphaere--mit-diesen-einstellungen-schuetzen-sie-ihre-daten-8522116.html
https://www.stern.de/tv/datenhack--warum-wurde-es-dem-taeter-so-leicht-gemacht-und-wie-kann-man-sich-schuetzen--8521650.html
https://www.stern.de/tv/gute-passwoerter-und-co---so-schuetzen-sie-sich-bestmoeglich-vor-hackerangriffen-8524324.html

How to make mobile end-devices secure: http://www.pcwelt.de/ratgeber/So-sichert-man-mobile-Endgeraete-im-Unternehmen-ab-FAQ-9582121.html.

This links origins from our section News&Links#computer#smartphones, CHIP, 26.12.2016: Android-security is one thing to take care of with fitting apps. With such apps you do not need to fear NSA, data robbery, viruses and Co. anymore. CHIP presents the apps protecting your android-handy in a perfect way.

Data-backup for Smartphones: Here are the best solutions for data-backup for Android, iOS and Windows.

ifixit: It is easy to repair smartphones - FOCUS Online.



10.000 mAh powerful monster-akku from Smartphone-Manufacturer OUKITEL, Focus Online 02.07.2015
Four times more powerful than Galaxy S6: This Smartphone has a akku-load durability of one week

The days of empty smartphone-akkus might be gone. The manufaturer OUKITEL plans the first smartphone with an akku-load of one week ...

See reports from our linkside: They are manufactured by perverts (Apple; see a report from our linkside), tiny displays bother the eyes, they radiate and cause serious hard accidents, while one can not care enough for IT security even around them: smartphones. Gooken primarily cares for the Desktop-PC. Therefore, before the (similar) use of smartphones and handies it is strongly recommended to have a look upon our linkside by clicking onto links or here, but remark, that the use of so called-crypto-smartphones and crypto-mobil-phones can provide the needed protection up to the already endangering point of crypto- resp. supercomputers.

ZDNet / Mobile: Why Open-Source-Handies are the better smartphones, from Jack Wallen, 24. september 2009
Open Source provides the mobil market plenty of advantages beginning with the reducing of costs, more security up to many adoptable settings and a more productive development of applications. Do you agree, that Open-Source-devices are the better smartphones? Or does Apple, even Microsoft with Windows Mobile 7 win the fight for the market share? You can write a comment.


Hardware-Support: device-drivers, hardware-databasis


Kernel-4.20.13 (PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos, mga6) resp. kernel 2.6.39 (mdv2010) with actual patches up to now from see our section for updates provides extended hardware support. But sometimes you just have to wait. So called "old" hardware must not be bad, the drivers are almost provided. Popular driver are already wtihin the kernel or kernel-modules. If missing in kernel-modules, belonging packages (rpm, deb) can be taken over into such modules. CPUs of mainboards consist of standard machine command sets that are already regarded in the package name like x86_64, i686, ia64, ppc, ppc64, ppc64le, aarch64, s390, s390x, arm, armhfp, sparc and so on, while the BIOS (BIOS-chip) on the mainboard should be socked, so that it can ordered, if malfunctioning. For the graphiccard you can use the UNIX/Linux-standard-driver fbdev or vesa. And the plugin of TFT-monitors is as simple as it can be in the case of postscript-printers by naming the belonging PPD-file out of (rpm) openprinting-packages, manufacturers or manufacturer-driver-CD. Start MCC, go to section "add a printer" and link to such PPD-file. Good to know, that USB is downward compatible. If the (W)LAN-chip does not work, a standard-PCIe- or PCI-ethernet-card helps out, until the packages or Tarballs for the driver are released in the internet, same for graphiccard and the onboard-soundchip.

Hardware for Linux, PC-WELT.de, 11.06.2019
Question: Is it guranteed, that hardware can be used for Linux for my PC, netbook and peripherals unrestrictedly?
Answer: To say it shortly: No. Here´s the long version of the answer: It takes a leap of faith. Hardware manufacturer seldom offer support for Linux. Basic components like graphik-, SATA- or Ethernet-chipset do not provide problems. But for printer, scanner, USB-TV- or WLAN-Stick, in many cases the driver CD does not include drivers for Linux. And even if, they just fit seldomely into the installed system. Notebooks are often restricted too. In some cases the brightness of the monitor screen can not be adjusted by key combinations or the power modes do not function like in Windows.
Therefore it only helps to get informed through the internet or by the salesman about notebooks and peripherals. There are salesman specialized for Linux like Tuxedo.
https://www.pcwelt.de/ratgeber/5-Fragen-und-Antworten-fuer-Linux-Anfaenger-10589209.html

OK PC-WELT.de, 01.09.2015: "Find out compatible hardware before you order it
Whoever does not want to care for Linux-driver, one should check out the compability of the hardware before it is ordered. In most cases it is sufficient to start a search by searchengines with the name of the hardare device in combination with "Linux". One can also search in hardware-databasis. It es also useful to get informed by websites like http://wiki.ubuntuusers.de/Hardware with lists of hardware, that functions and tipps for their installation. Informationen about TV-cards and Sticks are also providid by Linux TV.
Of Linux should be installed on a notebook, http://tuxmobil.org or Ubuntu Wiki provide userful information. There are some manufacturer specialized for notebooks with preinstalled Linux like Tuxedo Computers, although such devices might be a little bit more expensive than Windows-notebooks."


After an upgrade of the glibc from mdv2010 to rosa2014.1 or mga3 a hugh repertoire of driver-packages and -tarballs are provided for even actual hardware.

Such companies do provide drivers for Linux:
Graphic cards: Intel, Nvidia, AMD
Printer and scanner: Epson, HP, Intel, Samsung, Brother and Canon

Hardware databasis and hardware support:
http://openprinting.org for Ghostscript- and the PPD-files of postscript-printer
https://de.opensuse.org/Portal:Hardware
http://wiki.ubuntuusers.de/Hardware
http://linuxtv.org/wiki/index.php/Hardware_Device_Information
http://community.linuxmint.com/hardware
http://tuxmobil.org/
https://wiki.ubuntu.com/HardwareSupport/Machines/Laptops
http://www.tuxedocomputers.com
http://wiki.ubuntuusers.de/Drucker
http://www.pcwelt.de/ratgeber/Uefi-statt-Bios-Das-muss-man-beim-Linux-Boot-beachten-Von-USB-und-DVD-9715238.html
http://wiki.ubuntuusers.de/Scanner


A detailed report about the hardware-support of drivers is provided by the following article: http://www.pcwelt.de/ratgeber/So-bringen-Sie-Linux-trotz-Probleme-zum-Laufen-9789269.html.

If a driver is still missing, he can be buid (constructed) by any user. Several howtos can be found in the internet. For the printer packages lke cups-ddk are released for cups.

X11-server-troubleshooting (graphic card): see our section for "updates"

Printer-Troubleshooting: see our data sheet, section printer

Lacks in security


"The way is the target" are the well-known words from our precedent security-manager Konfuzius (...), that made us write here so much. Our main aim is to drag him out of the computer-scene for IT security and, who is awake enough, even forever! Together with the checklist it is proofed, that computer technology must not be nonsens, even if it is meant so and even if there is nothing really secure in this world, because of the race of the safeendangering with the secure and the certain kind of human behind this scene. Computer-history of nowadays with the typical constitution of software in intransparent „pirate-black“ binary machine-code, unlucid amounts of versions and distributions have shown some more (responsible) difficulties in satisfying claims for achieving real protection for the jack of all trade. Smartphones, notebooks and so on are only mentioned on our linkside. MG Chip: "The combination of raster-electron-, raster-Auger- and raster-plammet-microscope is cracking any kind of chips, however signed secure from manipulation". Serious hard cases of system-self-destructs can not be excluded. But resignation does not help. Nevertheless the aim in general of this excursion is to provide computer-systems with almost no lacks in security at all, and therefore (quit) without any scans from hard-disks by any scan-software. By following the excursion, your UNIX-computer will be freed from all (!) problems with the computer quit at once like (... ever seen so much red in your documents?)

suneater_miro proprietary software (opensource against liablity, more clearance of question about liablity), cost-traps (here: billing by handies and SMS, overread of additional parts of contracts and the conditions), blackmail for unlocking suddenly locked computers (see our report under links), abuse of copyrights and patents, cult for criminals, billions hard investment into spying software and techniques, missing, confusing or the fluctuating IT-security-concept, hard-disk-scans, defragmentation (unnecessary for many UNIX-file-systems), harddrives (instead of MC-SSD, cite: "A magentic harddrive is much to risky to intrust data. Although a lot of improvements took place, who has not heart or - in worst cases - made the experience of lost data. Therefore enough reasons are relevant." (source: poshtar@datensicherx.com, 13.05.2014)), the demand for a registry, registry-errors (UNIX-systems have no registry), degeneracy of the registry, suddenly or inpredictable lost files, explosion (of net-adapter), fire (net-adapter, porous PC-lautspeaker-cable, ...), your own ununderstandable blackened company (enlighted by our PHP-MySQL-company management Mycompanies), virtual blackmail by encrypting harddrives against ransom, shooting through unmanned flying objects as a technical response to stored data, kontermination (through chipsets, preventable by IGP and all-in-one-mainboards) and radiation, WLAN-radiation (see our linkside), CRT-radiation, CD-burner-radiation, netadapter-radiation, warning high SAR-value (handies), zero-emission (reflectable monitor emissionf or example by special PCMCIA-cards prevented by special editors like the zero emission pad), hardware-recognigtion (standarized driver, Kernel ver. greater 2.6.30), infiltration of social networks, handy-hunts through nets, inconsistency (vs. everlasting science), need for upgrades (new tarballs, zip-archives, functionality), updates, patches and bugfixes (vs. functionality), browser with outdated ssl3.0 (modern usage is provided by TLS), changeovers to different security software, missing changelogs, software-overload on harddisc (Opensource, independency-checks, other introduced methods), hacker (STATE-NEW lined iptables-blocking), large holes in firewalls (iptables block-rate), intrusion and valdalism, viruses (access-rights of UNIX-filesystems), freak (patch or prefer browsers like Firefox or Konqueor instead), abuse by virus scanner (standard opensource clamav), worms, rootkits (rkhunter) resp. botnets and trojans (no botnets and no trojans by correct usage of the OWNER-concept of iptables), manipulation by system-administrators upon software, files and configurations, ddos-attacks (almost on the base of bots and trojans), inactual alarms, false-alarms, forgotten or coded warnings and error-messages, ad- and spyware as much as Trackingscripts (firefox-addons), Driveby-Downloads, Canvas Fingerprinting (see under online check), forced acquisition because of truncated customer support for old operating systems (lifetime installation-support for all mdv/mdk over "pointed 1-" to "pointed 0" versions), product-manufacturing fault right on the surface of installation-CD/-DVD, aggressive marketing, need of updates and upgrades instead of functionality, unknown authors behind the named, burn-errors, problems with the BIOS and during the system-startup resp. boot, flush and reset, intransparent boot-processes, hard undestandable process-names (partial standarizement by UNIX/Linux), unmushed nets (failsafed mushed nets), video- and voice-recording, judge-microphons, observing satellite technique (see under links), spanish flies, night viewers, evaluation of such recordings (audit, protocolling files), text- and image-manipulation, manipulation of websits by webhoster, instability, system-breakdowns, broken USB-Sticks (secure umount and never before, fsck), usage of USB-hubs instead of prolonging USB-cables only, manipulated electric meter and cables (UPS: unbreakablel power supply), ineffective encryption through non scientific based cryptograhic methods from highschools, the search for important function-keys,iweak point human, insufficient set of (security-) system-commands, hangons and newstarts, anomal login attempts (LADS - login anomally detection system), inactual alarms and warnings, installation of malware by the opening of e-mail-attachements, unsigned installation from anywhere, installation by everyone, inportability, defect peripherals and hardware, restricted presentation of websides, keylogger and other malware, wiretrapping bedbugs (from USB-cards and other devices), hack of sensible data from USB-sticks through their microcontroller, crack of WLAN-encryption-keys, spy-nets, false email-sender-addresses (disabled browser-cache, header of email-source-text, digital signatures by public signature-keys, de-Mail), DoS-attacks, root-rights providing buffer-overflows (bugs),
aggressive marketing, missing warnings of the BIOS during overheatings of the CPU and from the inside, malfunction of USB-memory-sticks, intransparent boot-procedures without detailed information, long boot-times, weak-point-human (as a title of a contribution from a newsgroup), hard to understandable files and processes by name, side-manipulation and censorship by webhosters, need for additional software for example for ftp-transfer, use of harddiscs instead of durable and less power-consumpting (MLC-) Solid State Disks (SSD), installation of malicious software by opening attachments from e-mail, need for external graphic- and sound-cards (IGP, onboard integrated graphic- and sound-chips), software from unspecified sources (integrity checks, checksum), installation by any users instead by users with special access rights only, cloud computing (by avoiding storage onto foreign media, extern harddrive, USB-memory-stick), bad cable connection, listenings in to WLAN, cracks of WLAN encrypting keys, illegal access into WLAN-access-points, broadcasting bedbugs from USB-cards or other devices), lack of test reports and exchange of experiences (datasheed and test-forums), low duration of batteries and akkus, unknown details of OS-kernel bad or low encryption, encryption by elsewheres cryptographic methods instead of those checked resp. developed by high-schools, bad or low encrpted instant messaging (OTR, ...), manipulation of files like out of /etc/security/msec (FDE, FSE for full disc and full system encryption), file-encryption), vandalism "you can power off your computer now!", insecure passwords, inpredictable exhaust of passwords, amount of passwords (kwallet and relevation), visiblity of files storing passwords (steghide), bad adhere to deadlines, intimelineness, forget of the sourrounding (dating planner, countdown clocking, scheduler, task scheduler, ntp-daemon), burn error on CD/DVD (noflushd), inportability, unmashed nets (failsafe mashed), security endangering security software, missing software, incomplete set of (security-)system-commands, instabilty (breakdowns, blackouts and hang-ons, Alpha-Beta-software-developement stages, ...), release of authorizing root-rights, hacker, smashed wholes into firewalls, viruses, worms, rootkits (rkhunter) resp. trojans, dialer, hoax (watching out for the sender), false alarms, anomal attempts to login (Login Anomaly Detection System like LADS, delays after false-logins, commands to list logins and login-times, risks of WLAN (many single security operations have to be performed), security lacking file-systems, restricted file-systems (capacity of copied files, sytem dependencies, looking out for important function keys (BIOS, security modes...), inpredictibale deletion of files from anywhere, inpredictable remote maintenances, changing of fundamental configurations and settings, need for a registry, registry-errors, Entarten and Verwaisen der Registryeinträge, capacity restricting zombies, adware, popups, tracking scripts, ad- and spyware, online registrations for the release of software, spy-nets, intransparent connecitions over foreign net-nodes ( traceroute-command tcptraceroute see News&Links#Computer ), DoS-attacks, click-ping-tracing, cookies and Third-Party-cookies, supercookies, informing browser-chronicle, ABE, cross-side-scripting, operating time with akku/batteries, suspicious plugins, encryption cracking supercomputers, restricted presentation of websides, censorship depending of the true aims behind, spam (Spamassassin), spam-entries (Captcha), scam, missing option resp. missing command for even foreign notes through the net registrating traceroute (comannd tcptraceroute), read and writes from harddiscs by other parties, phishing, dialer, dissuasiveness, need of upgrades, errors and mistakes, missing software, registration, forwardings and therefore profiling by search-engines and depreciation, pass of hugh server-farms and advertising-networks, personalized advertisment, profiling, identifying ua-browser-answerback (see our online check) resp. IP, static new IP-adress-room ipv6, identity theft, pre-punishment-registration (cybermobbing), bad support, maintenance, bad sectors and file-systems with errors resp. the long time for their repair, capacity-resctriction of file-systems during file-transfer, bad encryption, online speed-blocker, editors (programming) without syntax-highlighting, missing log-files for protocolling, wait-states, needs for many drivers, more than hard to understand names for system-files, processes and errors, hard to understand names for processes and files, support for children and disabled (input-support and other programs like dasher, mouse-tweaks, speech, squid-guard, window-manager like LXDE and XFCE, ...), problems typing in by the ten-finger-system (missing keyboard), manufacturing faults on CD-surfaces (MS 98/SE), insufficient or bad tuned software-components and the risk of their dependencies, need for additional software like for ftp-transfer, old concept of magnetic hard-drives instead of long-durationed, specific natural durabilities for the storage, fast working and powersaving Sold Sate Drives (SSD), need of repair, (extern) graphic-, sound- and ethernet-cards (all-in-one boards, ideally with CPU, cooler and RAM) as a contribute to the enburdening of net-adapter to prevent open fire and explosions, 1000-Watt-PC, 65-Watt-CPU, techical reconstruction of direct debit mandates, missing delivery of online-ordered goods, especially from foreign countries and in cases of a too low amount in controversy, different device-interfaces (well known solved by downward-compatible USB), the disperse resp. page of the security-concept, waste of ressources, waste disposal problems, intern self-destructs, write-offs, science pocketing software-companies, costs for acquistion, licences, training, additional costs, difficulties or bad handlings, ...

... "in West Nix Niue (not new)" ...


with alternatives from our data sheed now all at low cost on the ground of power-consumption like energy saving lamps!

Data Protection
Windows 10: Deactivated funtions do send data to Microsoft
, http://www.pcwelt.de/news/Windows-10-Deaktivierte-Funktionen-senden-Daten-an-Microsoft-Datenschutz-9781744.html

Other person do in the best case thinkable even not know, if you possess a computer at all, neither by IP nor DNS nor they know about your installed operating system resp. operating systems, installed software and files!

Although only human failures can cause errors during the installaton of mdv2010, some errors can happen. There is an amount of error-messages of mdv2010, that do not help troubleshooting, some are missing. Therefore we recommend a second SSD for the backup of every important installation-state of the first one. Then as many packages can be installed on the SSD as the user likes and ever needs without lacking in system-security, if you are installing operating-systems like mdv2010 with packages totally sized over 65 GB!

Survey of the internet node: DE-CIX sues BND, Tagesschau, 22.04.2015
The BND is taken into response before law for his surveys of the net-node DE-CIX in Frankfurt at Main. The holde of the node is going to sue. Criticizer do also sue the government for making tricks. Arond thre terabit data per second are passed and overworked, an amount of 600 CD-Rom. To the customers count all big internet companies like the Deutsche Telekom, Vodafone and Verizon, more details see Links, section "NSA, GHCQ & Co.".

Prism.break is right to recommend both alternatives (addition from 07.09.2013): Tagesschau reports about weak-points in many security software. The industry for software would have been built-in backdoors in their programs. It were possible to get information right before a user encrypts them and to send them over the internet. Super-computer were constructed to crack encrypted codes. NSA-program "Bullrun" belonged to the most kept secrets. The british agency GCHQ were very successfull in cracking code.

prism-break.org: "With proprietary software, you need to have 100% trust in the vendor because there´s nothing except for their morality in the way of them leaking your personal information. Even if you can vouch for their integrity, proprietary software invariably has more uncaught security bugs and exploits because there are fewer eyes examining the source code."

prism-break.org, 2014: "Apple, Google and Microsoft are probable part of PRISM. You can not trust their proprietary operating systems in the matter of keeping sensible data safe from NSA.

Two alternatives do remain: GNU/Linux and BSD.

GNU/Linux has a much hugh community than BSD in order to help us for the change. It is recommended to search for a proper GNU/Linux-distribution fulfilling the requirerments."

PCWelt.de, 19.10.2015: "BitBox BitBox is a browser-in-the-box - a virtual environment, in order to secure the internet to make it more comfortable during the surfing. This virtual machine with a separated webbrowser protects in front of dangers, for example the rebuild resp. modified browser Dragon from the antivirus expert Comodo. His appearence reminds of Google Chrome, but Dragon is constituted to be more stable and thanks the privacy mode this browser is able to stop serious hard cookies. The inspection of SSL-certificates is more precise. Whoever wants to keep his browser save before the rest of the PC, likes to prefer BitBox - a browser-in-the-box. The developers of BitBox, the Bundesamt for Information Security (BSI), has put their browser into a fitting virtual Linux-environment. Linux has got some advantages in comparison to Windows - there are only a few "varmints", known for this operating system offered for free. So you use a virtual Ubuntu for a surf-system resp. for online-banking. A virus scanner is not required anymore. Tip: Alternatively use Wubi.exe, in order to install Ubuntu beneath Windows. This small file installs Ubuntu beneath Windows on the harddrive. When the system starts, the system is chosen. In this case, a virtual box is not needed anymore."


On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This site is dedicated to tracking the impact of the attack and helping users test whether they´´re vulnerable. In addition to browsers, many mobile apps, embedded systems and other software products also use TLS. These are also potentially vulnerable if they rely on unpatched libraries or offer RSA_EXPORT cipher suites. Vulnerable Browsers are Internet Explorer,. Chrome on Mac OS, Chrome on Android, Safari on Mac OS, Safari on iOS, Stock Android Browser, Blackberry Browser and, Opera on Mac OS. Firefox (Windows, MAX, Linux) and Konqueror (Linux) are not affected, see freakattack.com for more details.

Tagesschau, 07.31.2014: Actually scientific experts found out, that sensible data can be read out through microcontrollers (processors) from USB-sticks, see the report from our linkside under the point links! Therefore a new USB-standard is devoloped. By this, all data of computers can be read out, even passwords and email-contents as much as devices be steered like webcams. The operating sytem does not notice all of this, as it believes in key-strokes and not software attacks.

prism-break.org: "We recommend MC-based SSD instead of magnetic harddrives, "A magentic harddrive is much to risky to intrust data. Although a lot of improvements took place, who has not heart or - in worst cases - made the experience of lost data. Therefore enough reasons are relevant" (source: poshtar@datensicherx.com, 13.05.2014)) (similar to magnetic hard-drives, in order to keep the very fast access-times of a SSD, at least 4 GB memory should be kept free, comment, the Red.)

Legend end: Microsoft ends up with Internet Explorer, Focus, 18.03.2015
New browser past 20 years
After two decades a legend of the internet died: Microsoft actually develops a new browser, in order to exchange the Internet Explorer. For the next time, his name is "Spartan" - and he shall have nothing to do with his precedor.

Tagesschau, 28.04.2014: Vulnerabilities of the microsoft-browser
USA dissuade from Internet Explorer
In Microsofts Internet Explorer, market share more than 50% (2012, studie web-analyzators from Net Applications), vulnerabilities past the date for support fof XP (08.04.2014) were found, that do still exist. The US-government advises to use other browsers for the next time. There would be so much difficutlies in the Explorer-version six to eleven, that hacker can cause enormous harm, warned the ministry of home country protection. Problems are known since the weekend. Microsoft told, to do something against them. The vulnerabiltity would cause in wrong programmed memory-accesses. Prepared websites, that user of the internet-explorer call, could provide access for attackers to the computer, in order to execute mailicous code and take control upon the computer. The vulnerabilty already is effectively in use. It is the first serious one, since the support for Windows XP ended. Therefore it could still exist for PCs with the 13 years old operationg system regardless from Microsoft having solved the problem.

In News&Links we describe, howto make an Internet Browser of MS Windows upon the base of a Debian-sandbox secure, downloadable for free.

Internet-Gang robbs one billion dollar from banks, Focus, 15.02.2015
A bank robbery in the internet-century were made in that way: A Gang broke into in computer-systems of credit institutes and manipulated even account balances. They would have get any amounts of money from cash automates they liked.

Focus 2015: Antivirus-scanner promise allround-protection for the computer and to make the surfing online more secure. But in the half of all cases, they can not defend cyber-attacks.

Tagesschau.de 11/2013: Appelbaum from Wikileaks sees opportunities for effective encryption. Therefore free and open source were needed. Not all encryption were the same, not all companies have been confidential or can be trusted.

Tagessschau, 11/2013: Wikileaks sees opportunities for functioning encryption. One needs free and open sourced software. Not each encryption were secure, not all companies were trustable. Wikileaks hops for concete methods against. For expample, if an attorney were proclaiming trust on telephone, although he did not use an encrypted telephone, one should call careless.

Tagesschau, 10.03.2014, cite Snowden: "If you encrypt your hardware and connections within nets it is much more difficult to collect your data by mass-wise-controlling software. Of course, such data can be cracked resp. hacked for special surveillance, but remain more secure. The best proof would have been delivered by his encrypted kept own documents sent per email." ( two encryption can be made for e-mail-transfers: one of the text-includes of e-mails by pgp-gpg, one by pop3s and smtps (TLS) for the belonging connection to the pop3- and smtp-server).

OKWLAN-Router
Router-Sicherheitstest 2020: AVM, Asus & Co. im Vergleich
, PC-Magazin.de, 16.6.2020
Welchen Anteil haben verbreitete WLAN-Router am Schutz des heimischen Netzwerks und seiner Nutzer? PC Magazin und das Sicherheitslabor AV-Comparatives sind dieser Frage in einem umfangreichen Test nachgegangen.
https://www.pc-magazin.de/vergleich/router-sicherheitstest-2020-3201633.html

OKViele WLAN-Router von Sicherheitslücke bedroht: Nutzer sollten bestimmte Funktion besser abschalten, CHIP, 28.05.2020
IT-Spezialisten haben eine schwerwiegende Router-Sicherheitslücke entdeckt, die offenbar eine ganze Reihe von Netgear-Geräten betrofft. Über die Lücke können sich Angreifer unbemerkt Kontrolle über die Router verschaffen und dem Nutzer so manipulierte Updates unterjubeln. Wie Sie sich davor schützen können, lesen Sie hier. Worauf es beim Kauf eines neuen Routers ankommt, erklären wir Ihnen im Video.
Die Sicherheitsforscher des IoT-Labs der FH Oberösterreich sind auf eine eklatante Sicherheitslücke beim Netgear-Router Nighthawk R7000 gestoßen; offenbar sind auch viele weitere Modelle gefährdet. Das Problem: Der Router bezieht Firmware-Updates zwar verschlüsselt - dabei wird von den Geräten offenbar jedoch nicht das jeweilige Serverzertifikat geprüft. Dadurch ist es Angreifern grundsätzlich möglich, manipulierte Updates der Firmware auf dem Router zu installieren. So können sich die Cyber-Kriminellen potentiell Kontrolle über die Router der Nutzer verschaffen.
Sind einzelne Dateien beziehungsweise der Update-Server selbst gerade nicht verfügbar, kann es sogar dazu kommen, dass die Router bei der Installation gänzlich unverschlüsselte Protokolle nutzen, um die Updates zu installieren, was Angreifer ihre Attacken noch leichter durchführen lässt. Hinzu kommt, dass digitale Signaturen vor dem Update-Prozess nicht überprüft werden. Das führt dazu, dass die Router auch manipulierte Updates installieren, ohne dass dies vom Gerät erkannt wird. Sowohl der automatische Update-Prozess als auch das Update via Assistent im Web Interface sind offenbar von der Schwachstelle betroffen.
Eine offizielle Lösung seitens des Herstellers gibt es bisher nicht: Wie die Forscher der FH Oberösterreich schreiben, habe sich Netgear seit Ende Januar nicht mehr zu dem Problem geäußert, geschweige denn einen Work-Around via Update ausgerollt.
https://www.chip.de/news/Viele-WLAN-Router-von-Sicherheitsluecke-bedroht-Nutzer-sollten-bestimmte-Funktion-besser-abschalten_182735284.html

OKRouter-Sicherheit: Virenforscher warnt vor Angriffen über den Browser, Spiegel Online, 26.05.2015
Über manipulierte Websites lässt sich die Konfiguration diverser Router ändern, warnt ein Virenforscher. Weil die Geräte fortan Anfragen auf gefälschte Internetangebote umleiten, haben Kriminelle die Chance, Passwörter mitzuschneiden. Einmal falsch geklickt, schon macht der Router Ärger: Eine raffinierte neue Attacke nutzt die Schwachstellen gängiger Modelle aus, Unbekannte stellen dafür mit Schadsoftware verseuchte Webseiten ins Netz. Der unter dem Pseudonym Kafeine bekannte Sicherheitsexperte beschreibt auf seinem Blog das Problem, das mindestens 40 Modelle bekannter Hersteller gefährdet, darunter Geräte von Asus, Belkin, D-Link, Linksys, Netgear und Zyxel. Fritzbox-Router tauchen nicht auf der Liste auf. Die Angriffe, die Kafeine beobachtet hat, verlaufen nach folgendem Muster: Nutzer von Googles Chrome-Browser werden zu einem Server umgeleitet, der Schadcode enthält. Dieser versucht, das Router-Modell des Nutzers zu bestimmen, um dann die DNS-Einstellungen des Geräts zu ändern. Das Domain Name System, kurz DNS, wird oft als Adressbuch des Internet bezeichnet, denn es funktioniert ganz ähnlich: Gibt der Nutzer im Browser eine bestimmte Web-Adresse ein, geht die Anfrage an den Router, der dann mithilfe eines DNS-Servers die passende IP-Adresse nachschlägt. Gelingt es einem Angreifer, sich mithilfe eines manipulierten Adressbuchs in diese Kette zu schalten, kann er dem Router andere IP-Adressen unterjubeln und den Nutzer so auf gefälschte Websites lotsen. Kriminelle könnten etwa die Startseite einer Bank nachahmen, um die Log-in-Daten abzugreifen, die auf der gefälschten Seite eingetippt werden.Fast eine Millionen Zugriffe an einem Tag: Unbekannten Angreifern ist kürzlich offenbar eine solche Umleitung von Seitenaufrufen gelungen - und das massenhaft: Ein von Kafeine beobachteter DNS-Server konnte in diesem Monat bisher täglich rund 250.000 Zugriffe verzeichnen. An einem Tag - dem 9. Mai - waren es sogar fast eine Million Zugriffe, schreibt der Virenforscher. Die Angreifer gehen clever vor: Als sekundären DNS-Server nutzen sie Googles öffentlichen DNS-Dienst, was bedeutet, dass die Betroffenen auch dann Seiten erreichen, wenn der Server der Angreifer einmal den Dienst verweigert. Bemerkenswert ist, dass offenbar nicht nur Router gefährdet sind, deren Fernwartungsfunktion aktiviert ist. Der beschriebene Angriff erfolgt Kafeine zufolge durch eine sogenannte Cross-Site-Request-Forgery (CSRF), mit der ein Browser gezwungen werden kann, Aktionen auf fremden Webseiten auszuführen. Ziel des Angriffs ist die Administrations-Oberfläche des Routers. Auch wenn sie von der Fernwartung abgekoppelt und eigentlich nur im lokalen Netzwerk verfügbar ist, lässt sie sich attackieren, da Router im Gegensatz zu Internetseiten oft nicht gegen CSRF-Attacken geschützt sind, schreibt "Computerworld".

Wie kann man sich schützen?

Die von Kafeine veröffentlichte Liste betroffener Geräte ist vermutlich nicht vollständig. Nutzer sollten daher - unabhängig davon, ob ihr Router zu den genannten gehört - prüfen, ob die Firmware Ihres Routers auf dem neuesten Stand ist und sie gegebenenfalls aktualisieren. Die Cyberkriminellen machen sich mit diesem Angriff nämlich vor allem die Bequemlichkeit der User zunutze: Einen Router konfigurieren viele Nutzer nur einmal, danach kümmern sie sich nicht mehr darum. Wie wichtig regelmäßige Firmware-Updates gerade für diese Schnittstelle ins Internet sind, hat erst vor einigen Tagen die NetUSB-Lücke gezeigt.

OKPasswörter von 500.000 WLAN-Routern geleakt: Das sollten Nutzer jetzt unbedingt beachten, CHIP, 21.01.2020
FritzBox Firmware Update: So einfach geht die Aktualisierung
Hacker nutzen WLAN-Router und Server, um Botnets aufzubauen. Nun wurden die IP-Adressen und Passwörter von über einer halben Million Geräten frei zugänglich im Netz veröffentlicht. Doch es gibt Maßnahmen, die jeder Nutzer jetzt ergreifen kann. Zum Beispiel ein Update. Wie Sie Ihre Fritzbox am besten updaten, erklären wir Ihnen im Video.
https://www.chip.de/news/Passwoerter-von-500.000-WLAN-Routern-geleakt-Das-sollten-Nutzer-jetzt-unbedingt-beachten_179776444.html

OKRouter updaten: Bundesamt warnt vor Sicherheitslücken, PC-WELT.de, 07.01.2020
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt Besitzer von D-Link-Routern vor einer Schwachstelle.
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt aktuell die Bürger mit zwei technischen Sicherheitshinweisen der Risikostufe 3 und Risikostufe 4 vor Schwachstellen in WLAN-Routern des Herstellers D-Link. Die erste Schwachstelle ermögliche die Offenlegung von Informationen. Die zweite Lücke ermögliche das Ausführen von beliebigem Programmcode.
https://www.pcwelt.de/news/Router-updaten-Bundesamt-warnt-vor-Sicherheitsluecken-10732250.html

Typische Probleme am Router lösen, PC-WELT.de, 10.09.2019
Wenn selbst bei schnellem DSL Streams stocken oder Internettelefonate abbrechen, helfen die richtigen Einstellungen am Router.
https://www.pcwelt.de/a/typische-probleme-am-router-loesen,3449919

Kein Zugriff auf 192.168.1.1? So klappt das Router-Login, PC-WELT.de, 18.03.2019
Trotz Eingabe der IP-Adresse 192.168.1.1 oder 192.168.2.1 im Browser klappt das Router-Login nicht? Wir bringen Sie in 7 Schritten ins Router-Menü.
https://www.pcwelt.de/ratgeber/192-168-1-1-so-klappt-das-Router-Login-9638280.html

OK Browse: Therefore always try to turn http:// -> https:// (ssl) in the address-line of your browser manually, before the URL of the webside is entered! Favorites should contain only such URL too. Notice, that a ssl-certificate of the webserver resp. webhoster is not present in all cases!

JonDoBrowser: Anonymous Firefox-replacement, still beta, CHIP, 14.09.2012
The JonDos GmbH (University Leipzig) accused Firefox for having built-in functions, that are harmful for data protection. Therefore their developers released the (together with Jondo) anonymizing JonDoBrowser Beta for free, http://www.chip.de/news/JonDoBrowser-Anonymer-Firefox-Ersatz-mit-Macken_57527151.html.

Jondofox - Firefox with condom
Download Jondofox: http://www.heise.de/download/product/jondofox-58547/download
We, Gooken, introduce a list of security browser on News&Links#Alternatives#The-Green-LED#BrowserCharts For installing Jondobrowser, set the path to the firefox-profile in the installation script of Jondofox manually to /home/surfuser/.mozilla/firefox. The inegration follows right past the start of firefox. Never install addons not basing on Open Source. Jondobrowser´s integration of Add-ons like https-everywhere should, as described, also be seen critically.

Freak: "Freak"-Sicherheitslücke: Auch Windows betroffen, 06.03.2015,
Mit einem sogenannten "Freak"-Angriff wird es Dritten möglich, eigentlich geschützten Datenverkehr zu entschlüsseln und womöglich persönliche Daten mitzulesen. Diese Betriebssysteme und Browser sind betroffen.
Am vergangenen Dienstag wurden Informationen über die sogenannte "Freak"-Sicherheitslücke öffentlich gemacht. Durch diese können Dritte Daten aus eigentlich geschützten SSL-/TLS-Verbindungen abgreifen. Damit dies aber tatsächlich möglich wird, müssen bestimmte Kombinationen aus benutztem Webbrowser und verwendetem Betriebssystem gegeben sein. Grundsätzlich sind Android-, iOS-, Windows-Phone-, Windows-, Mac- und Linux-Nutzer gefährdet. Zum Ausnutzen der Lücke müssen zudem Webseiten mit einer geschwächten Verschlüsselung angesurft werden, wie auf.

During a normal browsing with MS Windows and MAC, focus 31.08.2014
Danger in the internet: the unvisible drive-by-download
Infections by drive-by-downloads are very perfide. During the surfing in the internet, malware of infected websites can be loaded onto the computer without the possibility to notify it - article by FOCUS-Online-expert Marco Preuss

Stern.de reports in April 2014 about adobe-flash-player with security-lacks that can lead into trojans finding out password and credit-card-information. Updating this software is strongly recommended, same for Java. With UNIX-Systems updates, patches and bugfixes can be be performed from their original sources and that means immediately with the date of their release as much as in the following example:

Checksum helps to prevent the download of trojans out of the internet.

Inceasing amount of data theft, Tagesschau, 07.04.2014
As IT-security-experts tell among other things in conjunction with lacks in security of OpenSSL, In year 2013 data of more than half billions internet-users have been stolen as a result of online-attacks. 552 million identities are involved, as told by a security-company about six × more than 2012.

Sueddeutsche.de, 21.12.2014 tells in a report, that you still can not trust cloud computing and the own data on other far-away-server. We believe not only in security risks of cloud computing, but also in data receiving consulting companies from there. Inspite of our excurs, on the base of some other operating systems there still were a need for security experts in 2014!

Tageschau, 28.04.2014 reports about actually found out one more serios hard security lack in Internet Explorer 6 up to 11 (market share value more than 50 %, 2012, .netApplications), so that XP, no further updates available since 04.08.2014, still has to be updated and even USA advised to use other browser by so called country-protecting organizations. The troubles caused by such Internet Explorer versions would have been such big, that hacker could do harm a lot. Since the last weekend, Microsoft is looking for solutions. The security-whole conisted of a buggish memory-access that enabled users using the IE to gain access to computers to execute mailicious code and to gain control over the computer. This security-lack would have been already taken in use.

AOL email-accounts including security-requests also would have been hackened.

Yesterday Apple Apple warned against data theft due to a lack in security in OS-X. If an attacker is provided access to the same network as other users - for example the usage of abad protected WLAN-connection of a restaurant - he could be able to access data from email-transfer and other communication procedures (protocols), that should have been encrypted instead as already mentioned by Edward Snowden, his former organization would already have taken advantage upon it..

Not much can be done against fake accounts in the name of identity theft of oneself in the internet except by law. One should register oneself in the most popular social networks like facebook to make a contribute to avoid it. Such account should be suited with as few sensible data as possible and be visited regulary in this sense of maintenance.

We, Gooken, also notice, that norisbank (Deutsche Bank) gots certified many times for online banking by german certifiers like "Stitung Warentest", although, as Tagesschau reported, states do invest billons more or less against such this security of encryption! In such cases UNIX-commands like "tcptraceroute" can provide users some important facts about such online-connections (as00.estara.com). Instead OpenSSL should strongly be updated from openssl.org at least to version >= 1.0.2d past 07.04.2014 ... as part of our DVD-2 mdv2010.0-updates!

Such red marked text does not come to an end on our webside "News&Links", if it were not enough red... . Please click here!

OK
The essential Idea: "PC-refrigerator" through airodynamic


might origin not from us, but is to do everything right at the beginning. Not software, but the exemplary, power-saving and therefore the net-adapter enburdening hardware depicted in our data sheed stands in the middle of interest here. To be more concrete, we talk about the computer tower itself, where everything should prepared for best air-cirulation. This cooling box (hardware-refrigerator) makes it possible to cool down warm air 3 up to 10 degree;C. All you need are one or better two cooler, one for the incoming air right up at the bottom of the front of the tower and one more for at the top of its back for the leaving of the air in a quit fast way. Therefore do not forget to seal the rest of the tower using plastic foils and adhensive tapes. Not only the circulating air but also the metal of the walls of the tower do also have the specifiation to increase the cooling of the inside. If possible, also follow the tip from fr2.rpmfind.net, where the tower of the server system consists of half-cylindered metal plate between the two coolers upon the mainboard. Screen resolution and screen repition rate should be set to "auto" following an almost large rate between 59 up to 95 Hz and higher. Now, the eye-friendly graphic chip can show what is performance especially during extrem burdening play of opengl- and sdl- based computer-games-scenes, while the stable hardware might do its work forever too.

Mandriva Linux 2010 - The Calming


Therefore you almost need:

2 SSD at least a 128 GB or 1 SSD or 1 (external) harddrive of thecapacity of at least the installation-SSD or -harddrive for the restauration and the backup
1 USB-memory stick with a command dd and the partitionmanager gparted providing rescure system, Mindi, Mondo or a DVD with Knoppix (that you can download out of the internet), best, following the manual howto install on harddrive, such Knoppix on a separte, small, greater or equal 250 MB partition on the installation-SSD or harddrive and
1 directory for all the already installed packages.

plcc-32

See, how Linux is prepared for the endurable mouseclick-fast work with SSD:

Linux tips & tricks
Linux ready and optimized for SSD: http://www.pcwelt.de/ratgeber/Linux-Special-SSDs-unter-Linux-6593528.html. The text of this webside is in german language, so we summarize, that we recommend the full-installation of Linux on SSD. Important seems to be the ability to trim the SSD, what can be checked out by the command "hdparm -I /dev/sda | grep -i TRIM". In /etc/fstab noatime,nodiratime,data=writeback and eventually option discard should be set for the root-, home- and the temporary partition, for SWAP use commit=0,data=writeback,discard. commit stands for the period, data are written out of the cache onto SSD. Do not set it too high, not above 600. The last thing for the SSD to make work mouseclick-fast is the installation of the rpm-packages hdparm and sdparm for el7. Following an instruction for Debian, also set in /etc/crypttab the option "allow-discards" for dm-crypt and in /etc/lvm/lvm.conf the option "allow-discards" for LVM (we resigned from LVM), for Btrfs-filesystems also set the mount-option "ssd" in /etc/fstab. The read-access-time in MB/s can be find out by "hdparm -t /dev/sda" and
one more test still uses both options -t and -T, but also option --direct ("Use O_DIRECT to bypass page cache for timings"), what leads to direct read without page cacheing. This test is almost used, as the pure data flow to the SSD within two resp. three seconds is measured: "hdparm -tT --direct /dev/sda"
Check, if the started kernel does already recognize the SSD: cat /sys/block/sda/queue/rotational
If zero resp. 0, he does! If not, please follow reports like https://wiki.ubuntuusers.de/SSD/Scheduler/

OK Following this report, the IO-Scheduler can be chosen: noops, deadline or CFQ. cat /sys/block/sda/queue/scheduler shows the activated one in edged brackets. After performing tests like above, choose the right one, that is almost noops, especially deadline by Grub (analogous Grub2) entering in /boot/grub/menu.lst the option "elevator=deadline" past the kernel-options beginning with kernel=... and past ro resp. rw . The Firmware-version is named by "hdparm -iv /dev/sda"


For TRIM-supporting SSD "discard" can be set not only in /etc/fstab and allow-discards not only in crypttab, but for ext4 also by command tune2fs:

OK
tune2fs /dev/device-filename resp. ( in the case of LUKS-encryption) tune2fs -o discard /dev/mapper/container_filename


This command makes the "durable" activation of the SSD-TRIM by option "discard" without blockings much more possible

Universal-Linux BULLET-PROOF: Root-partition read only
For the Root- and Home-Partition depending on conditons, we also can set the ro-Option for read-only, if we do not want to install and update anyhting anymore, do this by following the conditions of the arcticle from http://xpt.sourceforge.net/techdocs/nix/sysmng/sm08-ReadOnlyRootFileSystem/, https://wiki.debian.org/ReadonlyRoot, http://www.linuxfromscratch.org/hints/downloads/files/readonly_rootfs.txt and http://www.logicsupply.com/explore/io-hub/how-to-build-a-read-only-linux-system/ . Even think about the deactivation of the journalling of reiserfs by option "nolog", that keeps the SSD from writing journals (that means logs of the last stable (error-free) state before errors occured, in order to restore in error-cases). More or less, setting root-partition read-only can be considered as useful, but a little bit "paranoid":

OK "Read-only rootfs: Theory and Practice - Chris Simmonds, 2net
Configuring the rootfs to be read-only makes embedded systems more robust and reduces the wear on flash storage. In addition, by removing all state from the rootfs it becomes easier to implement system image updates and factory reset.
In this presentation, I show how to identify components that need to store some state, and to split it into volatile state that is needed only until the device shuts down and non-volatile state that is required permanently. I give examples and show various techniques of mapping writes onto volatile or non-volatile storage. To show how this works in practice, I use a standard Yocto Project build and show what changes you have to make to achieve a real-world embedded system with read-only rootfs. In the last section I consider the implications for software image update. Expect a live demonstration"
https://www.youtube.com/watch?v=Nocs3etLs9

https://wiki.debian.org/ReadonlyRoot # (usage at your own risk!)
Preconditions
The FHS allows mounting all underneath /bin, /lib, /sbin and /usr read-only. But you can extend this much more by using different filesystems for some trees and take care for special files.
Locations that must be writable are /etc, /home, /srv, /tmp, /var. The hierarchies below /dev, /proc, /selinux and /sys are already handled by special filesystems.
For /tmp you can use a tmpfs filesystem or its own filesystem. For /var it´s prefered to use its own filesystem. An example can look like this:
Device file Filesystem Mount point RO/RW
/dev/sda1 ext2 / ro
/dev/sda2 ext3
/var rw

tmpfs /tmp rw
/var/local/home bind mount /home rw
/var/local/srv bind mount /srv rw
You can use a filesystem without a journal for /, because you don´t write there and you don´t need the journal. This can be an ext4, too, hence you can take advantage of the improvements of ext4. Create the filesystem with mke2fs -t ext4 -O ^has_journal /dev/sda1 or remove the journal with tune2fs -O ^has_journal /dev/sda1.
Special files in /etc
You have to take care for some files in /etc. These are
adjtime
because it´s modified on boot up; see bug 156489
Solution for mdv and el6,el7: Change the hwclock-command in /etc/init.d/reboot and /etc/init.d/halt from "hwclock --systohc" to "hwclock --systohc --adjfile=/var/local/adjtime".
Solution for Debian Wheezy:
(1) add the option --noadjfile to HWCLOCKPARS in /etc/init.d/hwclockfirst.sh and /etc/init.d/hwclock.sh
or
(2) fix /etc/init.d/hwclockfirst.sh by replacing -f by -L in "if [ -w /etc ] && [ ! -f /etc/adjtime ] && [ ! -e /etc/adjtime ]; then"; see 520606.
alsa: init.d/alsa-utils
All versions before alsa-utils/1.0.27.2-1 (@2013-10-25 concerns wheezy version) of alsa-utils package startup script creates /.pulse files, leading to multiple error messages "Failed to create secure directory" when pulseaudio is installed.
Relevant bug: 712980
blkid.tab
because it´s modified at runtime by libblkid1
Solution:You can´t create a symlink from /etc/blkid.tab to /var/local/blkid.tab because, unfortunately, libblkid1 will not honor this symlink. It will replace it on every write by a file, if the filesystem is mounted for writing (e.g. while doing an apt-get install). To work around this you must set the environement variable BLKID_FILE to /var/local/blkid.tab. You should do this in /etc/environment to set the variable for everybody, who might do mounting.
courier imap
Courier IMAP uses a text file (/etc/courier/shared/index) for fast user lookups, if running as a mail server for virtual mailboxes (the default configuration of authenticating against pam is unaffected by this).
If using virtual mailboxes with shared accounts the file will need to be moved elsewhere, the directory /var/cache/courier/shared/ would be suitable but will need to be manually created.
Once that is done update /etc/courier/imapd and change IMAP_SHAREDINDEXFILE to IMAP_SHAREDINDEXFILE=/etc/courier/shared/index .
See http://www.courier-mta.org/imap/README.sharedfolders.html for information upstream provide about this setting.
cups
CUPS stores any kind of state files under /etc (classes.conf, cupsd.conf, printers.conf subscriptions.conf) and upstream is against any modification.
Relevant bug: 549673
lvm
Lvm stores a backup of current and archives of previous metadata in /etc/lvm/{backup,archive}. That causes any operation altering the metadata (vgreduce, vgextend, lvcreate, lvremove, lvresize, ...) to fail if / is not remounted read-write during the operation.
Solution: The location of the backup and archives is specified in /etc/lvm/lvm.conf. Set backup_dir = "/var/backups/lvm/backup" and archive_dir = "/var/backups/lvm/archive", create /var/backups/lvm and move /etc/lvm/backup and /etc/lvm/archive there.
Note: Lvm normally creates a backup during boot. This no longer happens as it is smart enough to see that /var is not yet mounted (or still read-only). But unless you use cluster lvm you will always already have a current backup from the last time you changed the metadata. So no harm done.
Relevant bugs: 372207 562234 (for etckeeper behavior WRT LVM files see 462355)
mtab used by mount
Solution: Create a symlink from /etc/mtab to /proc/self/mounts
mount.cifs (before smbfs 2:3.4.3-1) doesn´t honour this symlink and replace it with a real file; see 408394
mtab is in /etc for historical reasons as per FHS 2.3.
network/run
Used by ifupdown up to Squeeze
Solution: ifupdown links /etc/network/run to /run/network in postinst if /etc/network/run is not a directory.
rm -rf /etc/network/run
dpkg-reconfigure ifupdown
Alternatively: Create a symlink from /etc/network/run to /lib/init/rw/etc-network-run (network/run is accessed by ifupdown init scripts before /var might be mounted, therefore, the abuse of /lib/init/rw)
Systems running Wheezy will be automatically moved to using /run/network no matter what their existing configuration was.
Relevant bug: 389996
nologin
modified on boot up by the initscripts bootmisc.sh and rmnologin
This should already be a symlink to /var/lib/initscripts/nologin
In wheezy the init scripts directly modify /var/lib/initscripts/nologin
resolv.conf
If you have only a static nameserver configuration, then there´s no problem. Otherwise you should use the package resolvconf.
passwd, shadow
These files might be modified by the user with the tools chfn, chsh and passwd. If you are the only user of you system, you can remount the filesystem read/write, before using these tools. Otherwise you might think about using NIS or LDAP.
samba/dhcp.conf
If the dhcp3-client (AKA isc-dhcp-client) package is installed, every time a DHCP connection is established, /etc/dhcp3/dhclient-enter-hooks.d/samba creates /etc/samba/dhcp.conf, no matter if it is used or not in /etc/samba/smb.conf.
Relevant bug: 629406
suck
suck puts files in /etc/suck which are modified by suck at runtime; see 206631 To work around this problem, you have to move /etc/suck/sucknewsrc* to a new directory /var/local/suck, create a symlink /etc/suck/suckkillfile to /var/local/suck/suckkillfile and set etcdir in get-news.conf to /var/local/suck (this sets the -dd option of suck)
udev
If the udev rules 75-cd-aliases-generator.rules and 75-persistent-net-generator.rules are enabled, udev will try to update the files 70-persistent-cd.rules and 70-persistent-net.rules in /etc/udev/rules.d/ if needed. It is recommended to create the files once with all the rules needed and then disable the /etc/init.d/udev-mtab init script. While the root is readonly new rules are added to /dev/.udev/rules.d/.

Copy /var/lock or /var/lock/* to the mini-partition for /var. Do this also for kernel-partition /tmp or set /tmp to read-write. Copy /var/log/* to it too and link it to /tmp: "ln -sf /tmp /var/log/*".

Link the konqueror-browser-cache to /tmp: This means linking some cache-files of /home/user/.kde4 resp. /home/surfuser/.kde4 with the temporary /tmp one. Enable readonly root
To make your root filesystem mounted readonly, you must edit your /etc/fstab and set the mount option ro.
# /etc/fstab: static file system information.
#
# file system mount point fs-type options dump pass
/dev/hda1 / ext2 defaults,noatime,ro,errors=remount-ro 0 0
/dev/hda4 /var ext3 defaults 0 2
The option noatime is useful while the disk is mounted read/write while updates.
https://wiki.debian.org/ReadonlyRoot, http://xpt.sourceforge.net/techdocs/nix/sysmng/sm08-ReadOnlyRootFileSystem/, http://www.linuxfromscratch.org/hints/downloads/files/readonly_rootfs.txt und http://www.logicsupply.com/explore/io-hub/how-to-build-a-read-only-linux-system/.
ext4 partition READ ONLY mounten - forum.ubuntuusers.de
forum.ubuntuusers.de/topic/ext4-partition-read-only-mounten

Next step: Deactivate journalling-feature of file systems like ext4 and reiserfs (reiserfs: nolog-option) and
disable filesystem-checks by tune2fs (ext4) resp. reiserfstune and by setting the fs-check-parameter for the root-partition to 0.

Now a correcture within /etc/rc.sysinit shall be done:
"if remount_needed ; then
action "Remounting root filesystem in read-write mode: " mount -n -o remount,rw /
fi"
nach
"if remount_needed ; then
action "Remounting root filesystem in read-write mode: " mount -n -o remount /
fi"
see https://bbs.archlinux.org/viewtopic.php?id=135943

At last the kernel-option "ro" should be entered in /boot/grub/menu.lst for grub, for example behind "root=UUID...".


Never mind or nevertheless, If these steps for setting the root-partition read-only do not help, try the following article: http://xpt.sourceforge.net/techdocs/nix/sysmng/sm08-ReadOnlyRootFileSystem/single/

Generally, the security level of software is not only presented by stability, but also by the freeness of errors and warnings during the compilation of their source codes listed by the compiler. Kernel-2.6.32 (el6) consits of many of them and most of them are caused by kmem.h, while kernel-4.20.13 (PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos, mga6) resp. kernel-2.6.39.4-5.1 (mdv2011) runs error-free on our system without any warnings during the compilation time of around four hours! The only thing remaining is to patch with the dirty-cow-patch in mm.h and memory.c (listed in the internet). You can get acutal patches for this kernel from see our section for updates.

After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".

New Kernel: Configuration and Installation out of its source


How to install a new kernel: Download and install all binary packages (rpm resp. deb) required for the kernel. Then download and enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package" or file-roller. A new directory named "linux-kernelversion-xxx" or "kernel-source-xxx" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-xxx linux" resp. "ln -sf kernel-source-xxx linux".
Change into this directory linux resp. linux-xxx resp. kernel-source-xxxx and call "menu oldconfig". A file .config is created to configure the kernel.


Set the Kernel-Version at the top of the makefile.
Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from.

FSE (full system encryption) prevents from chroots, mounts (see "man mount") and bootups especially through systems on USB-sticks and from CD/DVD in order to read all kind of data from storage media like harddrives and memory (RAM) and data theft and so on.

For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel-desktop (mdv2011) but not kernel (el6):
within the first item "General Setup"enable "Initial-RAM-filesystem and RAM-disk-support"and in "general drivers" enable the option "Maintain a devtmpfs at /dev/ with subitem "automount devtmpfs at /dev, after the kernel mounted the rootfs".
If you do not know, what to enable or not, choose MM to load as a module wherever possible.


Linus Tovald called the grsecurity-patches rubbish (PRO-LINUX, 2017, 2018):

http://rpmfind.rediris.es/rpm2html/suse-8.2/secumod-1.6e-91.x86_64.html
Nice description, but as far, as I know this kernelmodule does following.
The system is been protected by disallowing several things

- ´texec´ : TPE protection (Trusted Path Execution, more on this later)


- ´procfs´ : procfs protection

- ´hardlink´ : hardlink create protection

- ´symlink´ : symlink follow protection

- ´rawdisk´ : rawdisk protection

- ´pipe´ : Pipe (FIFO) protection

- ´trace´ : process trace protection

- ´systable´ : syscall table checking

- ´logging´ : if you want logging, turn this on

- ´persist´ : by default this is set to 0, so the module can be unloaded, but you may set it to 1 to make it unremovable

- ´capbits´ : set the capbits value. You have to supply a certain mode for the capbits variable.

Hardlink/symlinkprotection protects the system from making this links for users.
Persist sets a capability that the module cannot be unloaded.
Capbits are kernelbits, that define certain rights even for root - in normal
case root could do allmost anything.
Like in all cases you have to know, what you do, because with that module
loaded some processes will not have the full rights they need.
For example I tried a /proc protection module and hotplug freezed after that
(not funny).
There is no real desription of anything reguarding that module and I don´t
know, which bits to set and which not!
Another thing is the opensource thing within that modules, because you can only use them on SuSE (with some disadvantages you can use the
firewallscript on Debian and Red Hat).
It is allways a nice thing to make more a secret of a thing, than
describing, how it works.
Philippe
https://archive.cert.uni-stuttgart.de/suse-security/2003/09/msg00202.html

OKgrsecurity-patch - Components (similar to secumod), en.wikipedia.org
kernel source: subdirecotry of /usr/src/kernel-version/, "patch -p1 < ../grsecurity.patch"

PaX

A major component bundled with grsecurity is PaX. Among other features, the patch flags data memory, the stack, for example, as non-executable and program memory as non-writable. The aim is to prevent memory from being overwritten, which can help to prevent many types of security vulnerabilities, such as buffer overflows. PaX also provides address space layout randomization (ASLR), which randomizes important memory addresses to reduce the probability of attacks that rely on easily predicted memory addresses.
Role-based access control
Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability of the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what it can or cannot do, and these roles and restrictions form an access policy which can be amended as needed.
A list of RBAC features
: Domain support for users and groups
Role transition tables
IP-based roles
Non-root access to special roles
Special roles that require no authentication
Nested subjects
Support for variables in the configuration
And, or, and difference set operations on variables in configuration
Object mode that controls the creation of setuid and setgid files
Create and delete object modes
Kernel interpretation of inheritance
Real-time regular expression resolution
Ability to deny ptraces to specific processes
User and group transition checking and enforcement on an inclusive or exclusive basis
/dev/grsec entry for kernel authentication and learning logs
Next-generation code that produces least-privilege policies for the entire system with no configuration
Policy statistics for gradm
Inheritance-based learning
Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
Full path names for offending process and parent process
RBAC status function for gradm
/proc//ipaddr gives the remote address of the person who started a given process
Secure policy enforcement
Supports read, write, append, execute, view, and read-only ptrace object permissions
Supports hide, protect, and override subject flags
Supports the PaX flags
Shared memory protection feature
Integrated local attack response on all alerts
Subject flag that ensures a process can never execute trojaned code
Full-featured, fine-grained auditing
Resource, socket, and capability support
Protection against exploit bruteforcing
/proc/pid filedescriptor/memory protection
Rules can be placed on non-existent files/processes
Policy regeneration on subjects and objects
Configurable log suppression
Configurable process accounting
Human-readable configuration
Not filesystem or architecture dependent
Scales well: supports as many policies as memory can handle with the same performance hit
No run-time memory allocation
SMP safe
O(1) time efficiency for most operations
Include directive for specifying additional policies
Enable, disable, reload capabilities
Option to hide kernel processes


Chroot restrictions
grsecurity restricts chroot in a variety of ways to prevent various vulnerabilities and privilege escalation attacks, as well as to add additional checks:
No attaching shared memory outside chroot
No kill, ptrace (architecture-independent), capget, setpgid, getpgid and getsid outside chroot
No sending of signals by fcntl outside chroot
No viewing of any process outside chroot, even if /proc is mounted
No mounting or remounting
No pivot_root
No double chroot
No fchdir out of chroot
Enforced chdir("/") upon chroot
No (f)chmod +s
No mknod
No sysctl writes
No raising of scheduler priority
No connecting to abstract unix domain sockets outside chroot
Removal of harmful privileges via cap


Miscellaneous features
Among other things, it can be configured to audit a specific group of users, mounting/unmounting of devices, changes to the system time and date, and chdir logging. Some of the other audit types allow the administrator to also log denied resource attempts, failed fork attempts, IPC creation and removal, and exec logging together with its arguments.
Trusted path execution is another optional feature that can be used to prevent users from executing binaries not owned by the root user, or world-writable binaries. This is useful to prevent users from executing their own malicious
binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user. grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. There are ways to "break out" of a chroot jail, which grsecurity attempts to prevent.
There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg and netstat commands to the root user.[13]
List of additional features and security improvements:
/proc restrictions that do not leak information about process owners
Symlink/hardlink restrictions to prevent /tmp races
FIFO restrictions
dmesg restriction
Enhanced implementation of trusted path execution
GID-based socket restrictions
Nearly all options are sysctl-tunable, with a locking mechanism
All alerts and audits support a feature that logs the IP address of the attacker with the log
Stream connections across Unix domain sockets carry the attacker´s IP address with them (on 2.4 only)
Detection of local connections: copies attacker´s IP address to the other task
Automatic deterrence of exploit brute-forcing
Low, medium, high, and custom security levels
Tunable flood-time and burst for logging

https://en.wikipedia.org/wiki/Grsecurity


Activate only those options, that will not lead into serious hard malfunctionings of the kernel!

OKInstall paxctld (rpm or tarball from http://www.grsecurity.net)

Save the new .config.
Three possibilites, after the patching of the source-code (in our case the dirty-cow-patch):
make -i rpm (to create the binary kernel-rpm package, what endures on our system for around four hours)
make bzImage (to create its core vmlinuz for /boot only after renaming the created file bzImage: time needed: around 30 minutes) or
make bzImage &&make modules &&make modules_install for the installation of the kernel-modules too.
Copy the bzImage to /boot, rename it to vmlinuz-kernelversion.
Use mkinitrd resp. in the case of FSE (Full Disk Encryption resp. encrypted root-partition) dracut to create the initrd resp. initramfs within directory /boot.
If you use grub as the bootloader and not grub2 and the configufile is still not configured for the new kernel, do this by editing /boot/grub/menu.lst and exchanging the vmlinuz-kernel-versions. If a new initramfs or initrd is created, enter them in the line for initrd.
done.

In our /grub/menu.lst, quit the same for grub2, the resulting entry for FSE (Full System Encryption) performed according to by gentoo-Schnatterente is:
title dracut-mdv-008-Linux
password --md5 DOLLARSIGN103Axa2112...
kernel (hd0,7)/vmlinuz BOOT_IMAGE=dracut-mdv-008-Linux root=UUID=2193ab...rootfstype=ext4 ro elevator=deadline nosmp security=none panic=0 apparmor=0 selinux=0 disable=IPV6 audit=0 hibernate=protect_image iomem=strict nosmp iomem=relaxed speedboot=yes KEYMAP=de LANG=de_DE.UTF-8 intel.audio=1 intel.modeset=1 intel.dpm=1 rd.luks=1 rd.lvm=0 rd.md=0 rd.luks.allow-discards rd.luks.uuid=ab1....vga=795 video=VGA-1:1366x768 tz=Europe/Berlin
initrd (hd0,7)/initramfs

0 of (hd0,7) stands for sda, 1 for sdb usw. and 7 for the boot-partition sda8, deadline for the SSD optimizing elevator resp. scheduler to choose, what is introduced soon through the configuraiton by special echo-commands.

OK kernel.yama.ptrace_scope=3
# 0 - Default attach security permissions.
# 1 - Restricted attach. Only child processes plus normal permissions.
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
3 - No attach. No process may call ptrace at all. Irrevocable.

echo "kernel.yama.ptrace_scope=3" > /etc/sysctl.d/10-ptrace.conf

Boot-paramter-list:
http://redsymbol.net/linux-kernel-boot-parameters/2.6.39/

The rescue-system Knoppix (Debian Linux, in our case Wheezy ol´ stable i386 (32 bit) from year 2010 with partition-manager gparted and dd, browser iceweazel and many tools and software) copied from DVD to an extra partition of at least 250 MB is listed in /boot/grub/menu.lst of the bootmanager Grub as follows:


title Rescue
password....
root(hd0,4)
kernel /boot/isolinux/linux knoppix keyboard=de lang=de_DE.UTF-8 desktop=kde tz=Europe/Berlin
initrd /boot/isolinux/minirt.gz

boot

It boots within few seconds and makes password-request to make it run and to get decrypted from its partition. After the login, in order to decrypt all the other LUKS-encrypted partitions, LUKS/dm-crypt should be installed, so at first packet cryptsetup has to be downloaded from the Debian-pool (debian.org). Update glibc too. If you want, you can update and/or increase this system up to a more comfortablel Debian Linux on an enlarged partition.

Information about the availability of TRIM of a SSD for the TRIM with discard-option on the base of ext4 out of /etc/fstab:

hdparm -I /dev/sda | grep -i trim


Our partition-concept for MCC-" partition manager (local harddrives) or gparted upon parted,
our partiitions on SanDisk SSD 120 GB:
OK LUKS-(cryptsetup)-encrypted extra partition (for sensible data and so on, with a key-file, that means for automatic encryption and decryption): 29 GB
OK LUKS-(cryptsetup)-encrypted root-partition ("schnatterschnatter - but no ente"quot;): 50 GB
OK LUKS-(cryptsetup)-encrypted (urandomed self de- and encrypting) SWAP-partition: 1,9 GB (2 GB RAM)
OK Boot-partition (unencrypted, so that this partition should be backuped to compare files like kernel named vmlinuz with md5sum or sha1sum) : 203 MB
OK KNOPPIX-encrypted-partition Knoppix (rescue system from DVD, a up to year 2016 actualized Debian Ol´ Wheezy from year 2010 with gparted, dd and much more. LUKS (cryptsetup) should be installed additionally too for editing above listed other partitions): 894 MB
OK LUKS-(cryptsetup)-encrypted home partition (encrypted and decrypted automatically during boot by a once generated belonging key-file from the root-partition): 34 GB

Advantage: easy handling, without Logical Volume Management (LVM) !

This all 1:1 upon another securing media, in our case the same one and therefore one more SanDisk 120 GB.

OK /etc/crypttab
# <target name> <source device> <key file> <options>
cryptohome UUID=.... /somewhere/keyfile luks,data=ordered,allow-discards
cryptswap /dev/sda_certain_number /dev/urandom swap,check=/bin/true,data=ordered,allow-discards

/boot/grub/menu.lst:
setkey y z
setkey z y
setkey Y Z
setkey Z Y
setkey equal parenright
setkey parenright parenleft
setkey parenleft asterisk
setkey doublequote at
setkey plus bracketright
setkey minus slash
setkey slash ampersand
setkey ampersand percent
setkey percent caret
setkey underscore question
setkey question underscore
setkey semicolon less
setkey less numbersign
setkey numbersign backslash
setkey colon greater
setkey greater bar
setkey asterisk braceright
timeout 10
password --md5 ...
default 0
kernel (hd0,7)/vmlinuz BOOT_IMAGE=linux root=UUID=c1... rd.luks.allow-discards rootfstype=ext4 nosmp elevator=deadline security=none nosmp speedboot=yes panic=0 apparmor=0 iomem=strict hibernate=protect_image disable=IPV6 selinux=0 audit=0 KEYMAP=de LANG=de_DE.UTF-8 intel.audio=1 intel.modeset=1 intel.dpm=1 rd.luks=1 rd.multipath=0 rd.dm=0 rd.lvm=0 rd.md=0 rd.shell=0 rd.luks.uuid=3... video=VGA-1:1366x768 vga=795 tz=Europe/Berlin desktop=kde
initrd (hd0,7)/initramfs-4.9.49


The root-partition seems to be sized quit small, so choose 60 GB instead of 50, we suggest to the disadvantage of the extra partition.

Order each entry in the device-configuration-file /etc/fstab: 1 device-file (partition or disc))/device/UUID/kernel-partition 2 mountpoint 3 filesystem 4 mount-options 5 Dump 6 fsck (self-check during the system start resp. boot), details:

OK So in /etc/fstab we can set for ext4 (discard supported), ext3 (withoud discard), reiserfs (without discard), reiser4fs (discard), btrfs (discard), vfat (without discard):

OKroot-partition: UUID=... / ext4 notail,noatime,nodiratime,barrier=flush,data=writeback,nouser,user_xattr,mode=500,async,commit=0,umask=077,iocharset=utf-8,acl 0
OKBootpartition (hier wegen dracut): UUID=... /boot ext4 noatime,nodiratime,ro,nouser,nouser,noexec,async,nosuid,mode=500,umask=077,user_xattr,data=writeback,commit=0,iocharset=utf-8,acl 0 3
OKHome-Partition: /dev/mapper/cryptohome /home ext4 rw,suid,nodev,noexec,nosuid,auto,async,noatime,nodiratime,discard,data=writeback,commit=0,nouser_xattr,barrier=1,journal_checksum,mode=700,umask=077,errors=remount-ro,iocharset=utf-8 0 # automatic cryptsetup is recommended (cryptsetup-option --key-file): Only access over the root-partion with the stored key-file will be possible. Acess-rights for the key-file: chown root:root path_to_key_file/key.asc && chmod 400 /patch_to_key_file/key.asc
# exec or noexec
OK /dev/cdrom /media/cdrom auto umask=0,users,noauto,iocharset=utf8,ro,noexec 0 0
OKproc /sid-root/proc proc notail,noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,data=writeback,mode=555,hidepid=2,gid=user,surfgroup,torgroup 0 0 # mouseclick-fast
none /proc proc notail,noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,data=writeback,mode=555 0 0
OK# usbfs /proc/bus/usb usbfs rw,relatime,devgid=43,devmode=664,noexec 0 0 # if not already mounted during system boot; notice: MCC-Partiton-Manager and so on will miss /proc/bus/usb
OKsysfs /sid-root/sys sysfs notail,noatime,nosuid,nodiratime,rw,noexec,nouser,nosuid,nodev,data=writeback,mode=555 0 0
OKTemporary, tmp ins RAM::
OKtmpfs /tmp tmpfs noatime,nodiratime,noexec,ro,nodev,nouser,nosuid,mode=1777,size=8M 0 0 # original tmp, that was made hidden by firejail using option "private-tmp" within any /etc/firejail/config-files
OKshm /tmp tmpfs noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,mode=1777 0 0
OKtmpfs /tmp2 tmpfs noatime,nodiratime,noexec,ro,nodev,nouser,nosuid,mode=1777,size=128M 0 0 # one more tmp for the down- and uploads
OKshm /tmp2 tmpfs noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,mode=1777 0 0
#SWAP:
OK/dev/mapper/cryptswap swap swap defaults,discard,rw,data=writeback 0 0
OKnone /dev/pts devpts mode=620,gid=5,rw
OKUUID=... /var/local ext4 rw,noatime,nodiratime,nosuid,aync,nodev,noexec,user_xattr,acl,barrier=1,data=writeback,mode=755,umask=077,commit=0,iocharset=utf8 # needed in small size of around 1 GB in order to mount the root-partition read-only
OKbinfmt /proc/sys/fs/binfmt_misc binfmt_misc rw,noatime 0 0 # binfmt_misc is a capability of the Linux kernel which allows arbitrary executable file formats to be recognized and passed to certain user space applications, such as s emulators and virtual machines. The executable formats are registered through a special purpose file system interface (similar to /proc). Debian-based distributions provide the functionality through an extra binfmt-support package.[1]...see https://en.wikipedia.org/wiki/Binfmt_misc

securityfs /sys/kernel/security /mnt/any_mountpoint securityfs rw,noatime 0 0 # lsm, secure fs for kernel-security-modules ... or mount it within /etc/rc.local by "mount -t securityfs -o rw,noatime /sys/kernel/security /mnt2"
# and /etc/fstab of our USB-stick:
/dev/sda1 / unionfs 0 1

/dev/mapper/usbstick1 /media/mnt_usb1 vfat rw,nosuid,nodev,uhelper=hal,users,noexec,uid=10001,utf8,shortname=mixed,flush,umask=077 0 1 # An entry in /etc/crypttab only instead of both files fstab and crypttab is sufficient. LUKS-encrypted USB-memory-stick with UUID (you can find out by mount -l ) and name usbstick1 within /etc/crypttab. Also think about mounting this encrypted USB-stick without having to enterthe password for encryption manually each system boot by creating a key-file or using the already present one from cryptohome, adding this key-file to /etc/crypttab and assocating it with the USB-stick by the command "cryptsetup luksAddKey /dev/sdc1 /path_to_keyfile/keyfile". Notice, that it might not be necessary to add this entry for an USB-memory stick in /etc/fstab here. Do this only in the case of problems with their hotplug!

OK/etc/fstab: Set the UUIDs instead of the named device-partitions Find out the UUIDs with the console-command "blkid" (this is not possible for the internal kernel-partitions).

OKAHCI-Mode: BIOS-setup for SSD
Start the Bios- / Firmware-setup and look, if the AHCI-Modus (Advanced Host Controller Interface) for the SATA-adapter is active. Alternatively "RAID" is possible too.
You can almost find the option in the menu under "Advanced -> Integrated Peripherals", "SATA Configuration" or "PCH Storage Configuration". Elder mainboard-platines do also have the option "IDE", in order to increase the throughput of the harddrives, if not chosen. If there is provided only "IDE", you must resign from the SATA-optimization.
On a side for overview ("System Status" or similar side) you almost find infomation about the SATA-Port the harddrives get connected. New motherboards only do have SATA-ports with fast 6 GBit/s (SATA III) and any port can be used. SATA II as much as SATA I fullfill our criteria to make all running mouseclick-fast.

OK And in /etc/rc.local (started by adding "sh /etc/rc.local" from any activated bootscript of /etc/init.d/, followed by a system-restart) for optimized SSD (in our example on the first S-ATA-port named sda) we choose the following parameters after a check with "hdparm -I /dev/sda": and "man hdparm":

hdparm -W1a0A0 /dev/sda (also try other optimizing parameters of hdparm)
echo deadline > /sys/block/sda/queue/scheduler
echo 500 > /proc/sys/vm/dirty_writeback_centisecs
echo 20 > /proc/sys/vm/dirty_ratio
echo 5 > /proc/sys/vm/dirty_background_ratio
touch /var/lock/subsys/local


SSD: commit=0: mouseclick-fast

Option defaults consists of the for security significant async,nouser,rw,suid,dev,exec,auto.


man mount: "All I/O to the filesystem should be done synchronously. In case of media with limited number of write cycles (e.g. some flash drives) "sync" may cause life-cycle shortening." In other words, for SSD prefer option async!

The namely security advised option "W0" instead of elected W1 deactivates the write-cache of the SSD, what protects data even more in the case of system hangons and breakdowns. More parameters of hdparm are explained by "hdparm -h" and manpages, see "man hdparm".Notice, that for more performcance "W1" for write-cacheing is generally recommended.

The pair of number from above like "0 1" stands for dump equal to no and fsck equal to yes, while the number itself stands for 0 none (no check), 1 recommended for the root-partition, 2 for all other partitionss and 3 for all less important partitions. With these setting, named filesystem can not be damaged anymore, otherwise, if ever thinkable, use manually "reiserfsck --no-tree device_file" to do its best for reiserfs.

umask: generally sets the access-rights as a subtrahend: Set umask 022 standing for less or equal 755 resp. umask 077 for less or equal 700 for the root- and home-partition in /etc/fstab and also in: /etc/profile, /etc/login.defs, /home/user/.bash_profile, /home/surfuser/.bash_profile, /root/.bash_profile, ROOT_UMASK=077 in /etc/security/msec/level.secure and USER_UMASK=077; acl: enable POSIX Access Control Lists.

Keep everything as SSD-friendly and mouseclick-fast you can, link the browser-cbache of Konqueror to the temporary directory /tmp being part of shm (shared memory, RAM) from fstab above:

OKrm -df /home/surfuser/.kde4/cache-localhos and ln -sf /tmp /home/surfuser/.kde4/cache-localhost, /home/surfuser/tmp, /home/user/.kde4/cache-localhost, /home/user/.kde4/socket-localhost, /home/user/.kde4/tmp, /home/user/.kde4/tmp-localhost and

ln -sf /tmp/kde-user /home/user/.kde4/tmp-localhost.localdomain, ln -sf /tmp/kde-surfuser/.kde4/tmp-localhost.localdomain . In the long run this spares plenty of cleaning. Do not link cache-localhost.localdomain and socket-localhost.localdomain, as this might cause some problems starting KDE.

OKln -sf /tmp /home/alluser/.cache2 && rm -dfr /home/alluser/.cache &&rename /home/alluser/.cache2 /home/alluser/.cache /home/alluser/.cache2

bleachbit (el6, cleaner): This program can cause serious hard damage!

We go on for SSD: Option discard is not functioning each kernel and SSD. commit sets the interval or frequency for write-operations, what is 5s per default. It is not recommended to change this value. barrier is one more feature of ext4 and ext3 caring for writing (coherent) data right in front of a barrier before such coherent data are writtten behind it. barriers=1 effects more securirty, while barriers=0 contributes to more perfmormance. ro for read-only still should not be set for the root-partition. This would have caused "skipping journal replay". data=writeback means "Data ordering (data=ordered) is not preserved, data may be written into the main file system after its metadata has been committed to the journal.", options see http://www.mjmwired.net/kernel/Documentation/filesystems/ext4.txt#169 . Most options are accepted by ext3 too, but not reiserfs. Notice, that reiserfs does not accept all of the listed options like barrier, errors and discard, inspite of this option nolog is accepted. Test options by "mount -o options devicefile mountpoint", before they are set in /etc/fstab!

rpm-description cmospwd (el6): "CmosPwd decrypts password stored in cmos used to access BIOS SETUP. Works with the following BIOSes * ACER/IBM BIOS * AMI BIOS * AMI WinBIOS 2.5 * Award 4.5x/4.6x/6.0 * Compaq (1992) * Compaq (New version) * IBM (PS/2, Activa, Thinkpad) * Packard Bell * Phoenix 1.00.09.AC0 (1994), a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107 * Phoenix 4 release 6 (User) * Gateway Solo - Phoenix 4.0 release 6 * Toshiba * Zenith AMI With CmosPwd, you can also backup, restore and erase/kill cmos."

So at first, generally the best thing one can do, is to abrogate the complete internet-access (what we do not suppose...) and to get a spare-parted backup-SSD or harddrive for the case of all the on mdv2010 remaining unsolved dependencies of packages your are going to install, that means in order to

Browser-Cache into RAM
about:config ->, to add a new entry type string
with the value /shm
After a newstart, firefox is cached into RAM. Go quit the same way for other browsers, source: http://wiki.siduction.de/index.php?title=Solid_State_Disks_(SSDs)_unter_Linux_optimal_nutzen&printable=yes. For Konqueror just link directory /home/username/.kde4/localhost-cache to /shm.

Convince yourself to get gnutls (el7) with libtasn1 (el7) installed. Otherwise gnutls might not work correctly for firefox.

backup partitionwise 1:1 by command dd (details see below)


OKFlashrom, Coreboot
Have a second BIOS-chip. Save the actual BIOS-firmware of the used BIOS-chip into a bin(ary) resp. rom-file. This can be done by an utility from the disc with drivers for the mainboard, out of the internet or by the UNIX-(Linux)-program called
flashrom. flashrom is a utility for detecting, reading, writing, verifying and erasing flash chips. It´s often used to flash BIOS/EFI/coreboot/firmware images in-system using a supported mainboard, but it also supports flashing of network cards (NICs), SATA controller cards and other external devices, which can program flash chips. On malfunction especially after the powering on of the computer, you can flush the BIOS through the backup up right from the desktop, if not, you have to exchange the chip or the net-adapter, same for the RAM, that can be checked by progs of UNIX (Linux) like memtest. For the protection against wiretapping bedbugs care for "chassis intrusion detection", for the usage of as few USB-cards as possible, if the BIOS is resetted and if there are any hearable feedbacks from hardware inspite of FCC. Compare constructions and notice any specifications direct from the platines like the manufacturer-types or -ID . With some luck, a radio tunes their frequencies.

"Welcome to coreboot!
coreboot is an Open Source project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload. With the separation of hardware initialization and later boot logic, coreboot can scale from specialized applications that run directly from firmware, run operating systems in flash, load custom bootloaders, or implement firmware standards, like PC BIOS services or UEFI. This allows for systems to only include the features necessary in the target application, reducing the amount of code and flash space required.
coreboot currently supports over 230 different mainboards. Check the Support page to see if your system is supported."
https://www.coreboot.org/Welcome_to_coreboot
https://www.coreboot.org/Supported_Motherboards

OK
Password-protection


If Linfw3 is used, so that root and all other user except a special surfuser get blocked, and if all other methods introduced here on this webside are performed, no password hacking and cracking is ever possible anymore, even not after the password got known by other ones and independent from its name or constitution or who and whatever, neither from the outside (net), inside (software) nor direct at office or home or anywhere. Keys for the LUKS-encrypted partitions must be stored on a portable USB-memory-stick, better memory-/chip-card or fingerprint-scanner

Password-protection on our introduced exemplary system:
BIOS-password
Grub-md5-Password for all bootable partitions and memory-check within /boot/grub/menu.lst
Special (own) inportable password for always LUKS-encrypted partitions on the base of FSE (Full System Encryption) with keys (passwords) for the dracut-enbound root-Partition on a LUKS-password encrypted USB-memory-stick, rest (see exemplary listed /etc/fstab) as sha2-key-file for user:group root:root and chmod 400 within any directory of the root-partition
Secured LUKS-root-partition with manual password-login onto a separate storage media for the cass of data loss from USB-memory-stick etc.
ACL-locked su-login for "surfuser"
Keys (passwords) for the additional encryption of e-mail and single directories and files with gnupg (kgpg) within the for "surfuser" by ACL inaccessible made directory .gnupg
desktop-manager: user-password for kdm and other desktop manager (or simplefying automized login free from password-entry)
Passwörds for LUKS-encrypted USB-memory-sticks
Password-manager for the twice password-encrypted access storage for all other passwords: revelation (el6, el7, rosa2014.1, rosa2016.1, fc 2X)
/etc/shadow (password-)file: chown root:root and chmod 400
OKinacccessible shell-bash-login in /etc/passwd and eventually usage of sandbox firejail with option "shell none"

Password protection, Focus, 11.04.2015
Snowden meant, hacker could hack a primitive password within one second. But the whistleblower gives tipps, how to keep passwords safe, so that they can not be hacked: by passphrases. Most passwords are simple variants like "12345678", "password" or the forename of the user. Edward Snowden thinks, passwords with the length of eight characters still do remain very insecure. They could be hacked by supercomputers in less than one second. Passphrases are passwords consisting of more than one word. Long, one time appearing sentences like

angelamerkelist110%SEXY


are easy to remember and combine different characters. They could not be decrypted by hacking programs.

A similar uncrackable method for password generation is described by PCWelt.de on http://www.pcwelt.de/ratgeber/So-erstellen-und-merken-Sie-sich-wirklich-sichere-Passwoerter-ohne-Zusatz-Tools-9940466.html .

Expert explains: The perfect password would be cracked by hackers in 227 millionen years, FOCUS Online, 09.05.2018
https://www.focus.de/digital/videos/geheimnis-liegt-in-drei-worten-experte-erklaert-hacker-wuerden-227-millionen-jahre-fuer-dieses-passwort-brauchen_id_7744168.html

Passwords are stored in the, as we hope, only root-accessible /etc/shadow for Linux. This file is handled over /etc/passwd listing usernames, belonging groups, "x" as a replacement for the password to read-in and so on.

All sensible data should never be stored on the onboard resp. plugged-in storage-media, SSD and harddrives and only onto those unplugged ones containing the backups and onto well-encrypted USB-memory-sticks!


More Internet Security
pam_shield (el6): pam_shield is a PAM module that uses iptables to lock out script kiddies that probe your computer for open logins and/or easy guessable passwords. pam_shield is meant as an aid to protect public computers on the open internet. An IP can also be entered manually by the command shield-trigger add 122.22.1.2 into the belonging database, same through "del" for deletion..pam_shield should get configured in /etc/security/shield.conf.
fail2ban (el6): Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

DenyHosts is a Python script that analyzes the sshd server log messages to determine which hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host and, upon discovering a repeated attack host, updates the /etc/hosts.deny file to prevent future break-in attempts from that host. Email reports can be sent to a system admin.

If you beware this principle, the computer generally provides the promised security for you.

Of course we tested and possess MS Windows. As we all know, it is not sufficient just to install an operating system and security-software to call the computer-system really secure, while finding out, that effective solutions may cost time! Installation should be done by users with the rights of the system-administrator only. During installation the signatur helps to be aware of the origin of software. Before the installation itself, packet-manager check out dublications and dependencies. If a packet is ever missing, packet-manager like urpmi can download and install all needed packages from different sources and the internet. to solve them. After that, version-control by CVS (Version Controlling Systems) can also do their best. The packet-database seems to be similar to the MS-Win-registry, but it is not such complex. If the packet-database should ever be damaged, it can be repaired in a simple way by the commands rm -f /var/lib/rpm/__* and rpm --rebuilddb. If this should not help, start the MCC packet-manager rpmdrake, in order to install any packet. rpmdrake is almost able to solve such conflicts. Notice, that MCC´s downloaded files are at least temporary in directory /var/cache/urpmi/rpms. Not all of the infinite amount of packet-dependencies are solved, even not in mdv2010!

Indeed: Our experience in mdv2010 tells us, that the only weak point grounds still in the overwhelming amount of existing packet-dependencies during an intensive installation of packages online (with a high amount of packages) by rpmdrake from MCC (drakconf) quit "at once" of a complexity much higher than from installation-DVD. Therefore we recommend not to download too many packets, not more than 50 "at once" and to have a look into the directory /var/lib/urmpi/rpms, where the not installed packages are still stored, if MCC is set to "do not empty the packet-cache after download" before. Then error-messages of the reinstallation by packet-manager like rpm, urpmi and yum almost tell what to do next - if there is inspite of checks of rpmdrake within the packet still any rpm, especially library-rpm, missing or if one rpm conflicts with another one to delete it before reinstallation is possible.

We repeat: agesschau, 07.31.2014: Actually scientific experts found out, that sensible data can be read out through microcontrollers (processors) from USB-sticks, see the report from our linkside under the point links! Therefore a new USB-standard is devoloped. By this, all data of computers can be read out, even passwords and email-contents as much as devices be steered like webcams. The operating sytem does not notice all of this, as it believes in key-strokes and not software attacks.

mouseclick-fast


Mouseclick-fast: We almost have just the following services activated through MCC: NetworkManager, acpid, alsa, cups, dnsmasq, gpm, ip6tables, iptables, jexec, linfw3, lm_sensors, partmon, postfix, sound, sysstat, udev-post, uuidd, wine and sometimes ntpd and httpd.

That´s all. So service network got deactivated too by command "chkconfig --level 2345 network off".

Increase the surf-speed with the browser, press STRG and ESC, choose the process for the browser by right clicking onto him and pull the appearing shift register for the process-priority at least one quarter length right. Alternatively use the terminal-commands nice and renice for a priority between -20 and 19 incl., default is 0 (source. Focus Onine, 07.11.2015); Gooken recommends extrem high priorities for Dolphin, Kmail, Kontact, Kopete, Office, some OpenGL- and SDL-games (if useful) and Konqueror and/or any other browser,

Brake block and espionage: "root,-1", ( dangerous, speed lowering ) (system-)process named unknown (for login under uid:0) of owner "root,-1" with changing PID and unknown dimesioned CPU-enburdening "kept secret"


In advance, this might really help: setfacl -m u:root:- /usr/libexec/gam_server
. Also exchange gamin (mdv2010) with gamin (pclos2017).

http://stackoverflow.com/questions/13655110/how-to-kill-a-process-whose-pid-keeps-changing:
Such a process is called a "comet" by systems administrators.
The process group ID (PGID) doesn´t change on fork, so you can kill it (or SIGSTOP it) by sending a signal to the process group (you pass a negated PGID instead of a PID to kill).
answered Dec 1 ´12 at 1:18
caf
161k18208340
What if it calls setpgid/setsid each time too? :-) - R.. Dec 1 ´12 at 2:28
The only reason, I can see, why you wouldn´t see it is, that the forked child has not been created yet but the parent has progressed far enough in it´s death that it is no longer listed.
Unfortunately I don´t think it´s possible to kill this kind of process without some guessing. To do so would require knowing the next pid in advance. You can guess the next pid but not be certain that no other pid gets it assigned.

We generally want to get rid of such processes: Wait for our new experiences at this place! Mouseclick-fast and secure: the ultimative speed boost beneath SSD-technology from see data-sheed: At first, update the gam_server (gamin (fc25) and gamin-server (OpenSuSE13.2) with gam_server into /usr/libexec) or remove it (like in OpenSuSE, where gamin is not offered), that might has to do with it and never connect to the ISP (Internet Service Provider) using the NetworkManager (el6) together with networkmanager-applet (mdv2010.2), but through "ifup eth0" by surfuser (but without naming surfgroup) instead, maybe out of the K-Menu, in the case of Konqueror for example set:

renice -n 18 `pidof konqueror`


that means for surfuser joining surfgroup in order to start konqueror after the login to surfuser:

"knemo && sg surfgroup konqueror && renice -n 18 `pidof konqueror` && kded4"


rpm-description: "Run command in restricted environment. Chrootuid makes it easy to run a network service at low privilege level and with restricted file system access. At Eindhoven University, they use this program to run the gopher and www (world-wide web) network daemons in a minimal environment: The daemons have access only to their own directory tree, and run under a low-privileged userid. The arrangement greatly reduces the impact of possible loopholes in daemon software."

OK Or additionally on the base of the suid-sandboxfirejail (ram80: 0.9.44.8-1, rosa2014.1, rosa2016.1, pclos2017 or https://sourceforge.net/projects/firejail/) for all programs online and untrusted (following the includes, that might be some, we chose firejail for quit all), one more program for mdv2010.2 or el6 from rosa2014.1, that you also can download from here:

firejail-0.9.52-1pclos2017.x86_64.rpm (from December 2017, vendor:none, pbone.net)
or download firejail pclos2017 preconfigured by us for firefox, Konqueror and kmail and so on from our update-section preconfigured by us for firejail-0.9.52-1.



"knemo && sg surfgroup "firejail --private=/home/surfuser konqueror" && renice -n 18 `pidof konqueror` && kded4"


or, enhanced with option --profile:

"knemo && sg surfgroup "unshare firejail --nice=18 --profile=/etc/firejail/konqueror.profile --private=/home/surfuser konqueror" && kded4"


This call seems to get quit long, so for a start with priority 18 from -20 up to 20 by a single (or double) mouseclick do not forget to add an this command into the belonging entry for konqueror within the k-menu, on the desktop or in the quick-starter of the taskline. For shell-scripts this can be done by "xterm -e /path_to/shellscript.sh" resp. "konsole -e /path_to/shellscript.sh"

Linux namespaces sandbox program firejail, https://sourceforge.net/projects/firejail/
"Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x (and 4.20.13 with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos, mga6) resp. 2.6.39.4-5.1, com., Gooken) kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc."


OK Firejail is a SUID sandbox program, that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces.

firejail - version 0.9.48

Options:
-- - signal the end of options and disables further option processing.
--allow-debuggers - allow tools such as strace and gdb inside the sandbox.
OK--allow-private-blacklist - allow blacklisting files in private
home directories.
--allusers - all user home directories are visible inside the sandbox.
--apparmor - enable AppArmor confinement.
--appimage - sandbox an AppImage application.
--audit[=test-program] - audit the sandbox.
--bandwidth=name|pid - set bandwidth limits.
--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.
--bind=filename1,filename2 - mount-bind filename1 on top of filename2.
--blacklist=filename - blacklist directory or file.
-c - execute command and exit.
--caps - enable default Linux capabilities filter.
OK--caps.drop=all - drop all capabilities.
--caps.drop=capability,capability - blacklist capabilities filter.
--caps.keep=capability,capability - whitelist capabilities filter.
--caps.print=name|pid - print the caps filter.
--cgroup=tasks-file - place the sandbox in the specified control group.
--chroot=dirname - chroot into directory.
--cpu=cpu-number,cpu-number - set cpu affinity.
--cpu.print=name|pid - print the cpus in use.
--csh - use /bin/csh as default shell.
--debug - print sandbox debug messages.
--debug-blacklists - debug blacklisting.
--debug-caps - print all recognized capabilities.
--debug-check-filename - debug filename checking.
--debug-errnos - print all recognized error numbers.
--debug-protocols - print all recognized protocols.
--debug-syscalls - print all recognized system calls.
--debug-whitelists - debug whitelisting.
--defaultgw=address - configure default gateway.
OK--dns=address - set DNS server.
--dns.print=name|pid - print DNS configuration.
--env=name=value - set environment variable.
--force - attempt to start a new sandbox inside the existing sandbox.
--fs.print=name|pid - print the filesystem log.
--get=name|pid filename - get a file from sandbox container.
--help, -? - this help screen.
--hostname=name - set sandbox hostname.
--hosts-file=file - use file as /etc/hosts.
--ignore=command - ignore command in profile files.
--interface=name - move interface in sandbox.
OK--ip=address - set interface IP address.
--ip=none - no IP address and no default gateway are configured.
--ip6=address - set interface IPv6 address.
--iprange=address,address - configure an IP address in this range.
OK--ipc-namespace - enable a new IPC namespace.
--join=name|pid - join the sandbox.
--join-filesystem=name|pid - join the mount namespace.
--join-network=name|pid - join the network namespace.
--join-or-start=name|pid - join the sandbox or start a new one.
--list - list all sandboxes.
--ls=name|pid dir_or_filename - list files in sandbox container.
--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.
--machine-id - preserve /etc/machine-id
--mtu=number - set interface MTU.
--name=name - set sandbox name.
--net=bridgename - enable network namespaces and connect to this bridge.
OK--net=ethernet_interface - enable network namespaces and connect to this Ethernet interface.
--net=none - enable a new, unconnected network namespace.
OK--netfilter[=filename] - enable the default client network filter.
--netfilter6=filename - enable the IPv6 network filter.
OK--netns=name - Run the program in a named, persistent network namespace.
--netstats - monitor network statistics.
OK--nice=value - set nice value.
OK--no3d - disable 3D hardware acceleration.
OK--noblacklist=filename - disable blacklist for file or directory .
OK--noexec=filename - remount the file or directory noexec nosuid and nodev.
OK--nogroups - disable supplementary groups.
OK--nonewprivs - sets the NO_NEW_PRIVS prctl.
--noprofile - do not use a security profile.
OK--nosound - disable sound system.
OK --novideo - disable video devices.
OK--nowhitelist=filename - disable whitelist for file or directory .
--output=logfile - stdout logging and log rotation.
--overlay - mount a filesystem overlay on top of the current filesystem.
--overlay-named=name - mount a filesystem overlay on top of the current filesystem, and store it in name directory.
--overlay-tmpfs - mount a temporary filesystem overlay on top of the current filesystem.
--overlay-clean - clean all overlays stored in DOLLARSIGNHOME/.firejail directory.
OK--private - temporary home directory.
OK--private=directory - use directory as user home.
OK --private-home=file,directory - build a new user home in a temporary
filesystem, and copy the files and directories in the list in the new home.
OK--private-bin=file,file - build a new /bin in a temporary filesystem and copy the programs in the list.
OK--private-dev - create a new /dev directory. Only dri, null, full, zero,tty, pst, ptms, random, snd, urandom, log and shm devices are available.
OK--private-etc=file,directory - build a new /etc in a temporary filesystem, and copy the files and directories in the list.
OK--private-tmp - mount a tmpfs on top of /tmp directory.
OK--private-opt=file,directory - build a new /opt in a temporary filesystem.
--profile=filename - use a custom profile.
--profile-path=directory - use this directory to look for profile files.
--protocol=protocol,protocol,protocol - enable protocol filter.
--protocol.print=name|pid - print the protocol filter.
--put=name|pid src-filename dest-filename - put a file in sandbox container.
--quiet - turn off Firejail´s output.
OK--read-only=filename - set directory or file read-only..
--read-write=filename - set directory or file read-write..
--rlimit-fsize=number - set the maximum file size that can be created by a process.
OK --rlimit-nofile=number - set the maximum number of files that can be opened by a process.
OK --rlimit-nproc=number - set the maximum number of processes that can be created for the real user ID of the calling process.
--rlimit-sigpending=number - set the maximum number of pending signals for a process.
OK--rmenv=name - remove environment variable in the new sandbox.
--scan - ARP-scan all the networks from inside a network namespace.
OK --seccomp - enable seccomp filter and apply the default blacklist.
Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, remap_file_pages, mbind, get_mempolicy, set_mempolicy, migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
OK--seccomp=syscall,syscall,syscall
Enable seccomp filter, blacklist the default list and the syscalls specified by the command.
Example: firejail --seccomp=utime,utimensat,utimes firefox
--seccomp.drop=syscall,syscall,syscall
Enable seccomp filter, and blacklist the syscalls specified by the command.
Example: firejail --seccomp.drop=utime,utimensat,utimes
--seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and whitelist the syscalls specified by the command.
--seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and return errno for the syscalls specified by the command.
--seccomp.print=name|pid - print the seccomp filter for the sandbox identified by name or PID.
OK--shell=none- run the program directly without a user shell.
--shell=program - set default user shell.
--shutdown=name|pid - shutdown the sandbox identified by name or PID.
--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.
--top - monitor the most CPU-intensive sandboxes.
--trace - trace open, access and connect system calls.
--tracelog - add a syslog message for every access to files or directories blacklisted by the security profile.
--tree - print a tree of all sandboxed processes.
--version - print program version and exit.
--veth-name=name - use this name for the interface connected to the bridge.
--whitelist=filename - whitelist directory or file.
--writable-etc - /etc directory is mounted read-write.
--writable-var - /var directory is mounted read-write.
--writable-var-log - use the real /var/log directory, not a clone.
OK --x11 - enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension.
--x11=none - disable access to X11 sockets.
--x11=xephyr - enable Xephyr X11 server. The window size is 800x600.
OK--x11=xorg - enable X11 security extension.
--x11=xpra - enable Xpra X11 server.
--x11=xvfb - enable Xvfb X11 server.
--zsh - use /usr/bin/zsh as default shell.

Examples:
DOLLARSIGN firejail firefox
start Mozilla Firefox
DOLLARSIGN firejail --debug firefox
debug Firefox sandbox
DOLLARSIGN firejail --private --sna=8.8.8.8 firefox
start Firefox with a new, empty home directory, and a well-known DNS-server setting.
DOLLARSIGN firejail --net=eth0 firefox
start Firefox in a new network namespace
DOLLARSIGN firejail --x11=xorg firefox
start Firefox and sandbox X11
DOLLARSIGN firejail --list
list all running sandboxes


License GPL version 2 or later
Homepage: http://firejail.wordpress.com

"Mit Firejail lässt sich das Risiko erheblich reduzieren, das von bis dato ungepatchten Sicherheitslücken in Programmen ausgeht.", www.kuketz-blog.de/firejail-linux-haerten-teil4

Firejail has got two very interesting options: --profile, what is done with default.profile by default as much as one profile for each program resp. process out of a hugh amount from /etc/firejail and --private. Last one completes the sandbox in a whole. Refering to linfw3, for still blocking all trojans resp. backdoors, use the already listed firejail-option --profile=/home/surfuser, especially the pregiven (and already listed) profiles.

Resign from firejail, if firefox does not work correctly, until firejail gets reconfigured well enough !

"SECure COMPuting with filters (like seccomp within firejail)
===========================================
Introduction
------------
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. As system calls change and mature, bugs are found and eradicated. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications.
Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The filter is expressed as a Berkeley Packet Filter (BPF) program, as with socket filters, except that the data operated on is related to the system call being made: system call number and the system call arguments. This allows for expressive filtering of system calls using a filter program language with a long history of being exposed to userland and a straightforward data set.
Additionally, BPF makes it impossible for users of seccomp to fall prey to time-of-check-time-of-use (TOCTOU) attacks that are common in system call interposition frameworks. BPF programs may not dereference pointers which constrains all filters to solely evaluating the system call arguments directly.
What it isn´t
-------------
System call filtering isn´t a sandbox.It provides a clearly defined mechanism for minimizing the exposed kernel surface. It is meant to be a tool for sandbox developers to use. Beyond that, policy for logical behavior and information flow should be managed with a combination of other system hardening techniques and, potentially, an LSM of your choosing. Expressive, dynamic filters provide further options down this path (avoiding pathological sizes or selecting which of the multiplexed system calls in socketcall() is allowed, for instance) which could be construed, incorrectly, as a more complete sandboxing solution.
Usage
-----
An additional seccomp mode is added and is enabled using the same prctl(2) call as the strict seccomp. If the architecture has CONFIG_HAVE_ARCH_SECCOMP_FILTER, then filters may be added as below:
...", https://www.pro-linux.de/news/1/25207/sicherheits-audit-von-dnsmasq.html, https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

Firefox mit Tor:

OK
sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/firefox.profile /usr/lib64/firefox/firefox --no-remote &" && sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/tor.profile tor -f /home/surfuser/torrc" && export RESOLV_HOST_CONF="/etc/hosts"


with default-firefox.profile like default.profile, but without blacklist /home/surfuser/.mozilla and /home/surfuser/.cache (commented in with "#").

Option tor: is used for the anonymizing TorDNS as the remote-DNS-server, what is introduced with Tor at the end of this excurs.

Following the many profile-files in /etc/firejail, the in comparison to sandbox docker-io easy-to-handle Firejail is recommended for all programs resp. processes online and you might not trust like webserver, server, dolphin (what causes a intern restricted bash, so that you should resign from it as much as for quit all processes online. Have a brief look into the configuration file of firejail in /etc/firejail too: many of them refer to single processes resp. programs, some like files named disable*.inc refer to more than it. There, encrypted partitions and directories including sub-directories (blacklist /mnt/) and USB-sticks (blacklist /media/ resp. blacklist /media/directory_for_the_usb-stick) can be secured once more too as much as the block of the intern start of bash-commands refering to outside of private and so on. Now everything online runs not only "two and three times more secure" but even much faster than already fast !

Firejail-options for *.inc-files within /etc/firejail/ :
caps.drop all
ipc-namespace
netfilter
no3d
nogroups
nonewprivs
noroot
nosound
noautopulse
notv
protocol unix,inet,inet6
OKseccomp
OKshell none
tracelog
quiet
private-dev
private-bin
private-etc passwd,group,hostname,hosts,resolv.conf,nsswitch.conf,fonts,mailcap,pulse
private-tmp
# ... not all firejail-options should be activated, in order to avoid capacity- and serious hard system-errors!


To the profiles of actual firejail 0.9.48-1.pcclos2017 in /etc/firejail, that is provided preconfigured by us (Gooken) to get downloaded from our section for updates, belong (description see "man firejail")


0ad.profile
2048-qt.profile
140 25. Jun 14:30 7z.profile
1225 25. Jun 14:30 abrowser.profile
704 20. Mai 23:55 akregator.profile
489 25. Jun 14:30 amarok.profile
568 20. Mai 23:55 arduino.profile
499 25. Jun 14:30 ark.profile
347 25. Jun 14:30 atom-beta.profile
342 25. Jun 14:30 atom.profile

535 25. Jun 14:30 atool.profile

410 25. Jun 14:30 atril.profile

267 25. Jun 14:30 audacious.profile
357 25. Jun 14:30 audacity.profile
458 25. Jun 14:30 aweather.profile
1742 20. Mai 23:55 baloo_file.profile
785 20. Mai 23:55 bibletime.profile
271 25. Jun 14:30 bitlbee.profile
488 25. Jun 14:30 bleachbit.profile
488 8. Mai 23:07 bleachbit.profile
595 20. Mai 23:55 blender.profile
492 25. Jun 14:30 bless.profile
492 8. Mai 23:07 bless.profile
535 25. Jun 14:30 brasero.profile
535 8. Mai 23:07 brasero.profile
338 25. Jun 14:30 brave.profile
878 20. Mai 23:55 caja.profile
407 25. Jun 14:30 cherrytree.profile
66 25. Jun 14:30 chromium-browser.profile
695 25. Jun 14:30 chromium.profile
393 25. Jun 14:30 claws-mail.profile
268 25. Jun 14:30 clementine.profile
598 20. Mai 23:55 clipit.profile
340 25. Jun 14:30 cmus.profile
564 25. Jun 14:30 conkeror.profile
262 25. Jun 14:30 corebird.profile
379 25. Jun 14:30 cpio.profile
178 25. Jun 14:30 cryptocat.profile
524 20. Mai 23:55 Cryptocat.profile
582 25. Jun 14:30 cvlc.profile
99 25. Jun 14:30 cyberfox.profile
245 20. Mai 23:55 Cyberfox.profile
304 25. Jun 14:30 deadbeef.profile
366 25. Jun 14:30 default0.profile
366 25. Jun 14:30 default2.profile
607 25. Jun 14:30 default-firefox.profile
371 25. Jun 14:30 default-gftp.profile
367 25. Jun 14:30 default.profile
397 25. Jun 14:30 deluge.profile
526 20. Mai 23:55 dia.profile
450 25. Jun 14:30 dillo.profile
755 20. Mai 23:55 dino.profile
4812 25. Jun 14:30 disable-common0.inc
7239 25. Jun 14:30 disable-common-gftp.inc
3788 25. Jun 14:30 disable-common.inc
3788 11. Mai 15:08 disable-common.inc.rpmsave
7239 25. Jun 14:30 disable-common-kmail.inc
91 25. Jun 14:30 disable-devel-firefox.inc
1470 25. Jun 14:30 disable-devel.inc
725 25. Jun 14:30 disable-firefox.inc
187 25. Jun 14:30 disable-passwdmgr.inc
567 25. Jun 14:30 disable-programs-firefox.inc
4949 25. Jun 14:30 disable-programs.inc
538 25. Jun 14:30 display.profile
770 25. Jun 14:30 dnscrypt-proxy.profile
327 25. Jun 14:30 dnsmasq.profile
831 25. Jun 14:30 dolphin.profile
831 8. Mai 23:07 dolphin.profile
370 25. Jun 14:30 dosbox.profile
529 25. Jun 14:30 dragon.profile
448 25. Jun 14:30 dropbox.profile
562 25. Jun 14:30 elinks.profile
276 25. Jun 14:30 emacs.profile
229 25. Jun 14:30 empathy.profile
535 25. Jun 14:30 enchant.profile
505 25. Jun 14:30 engrampa.profile
376 25. Jun 14:30 eog.profile
374 25. Jun 14:30 eom.profile
609 25. Jun 14:30 epiphany.profile
356 25. Jun 14:30 evince.profile
476 25. Jun 14:30 evolution.profile
630 25. Jun 14:30 exiftool.profile
402 25. Jun 14:30 fbreader.profile
367 25. Jun 14:30 feh.profile
223 25. Jun 14:30 file.profile
514 25. Jun 14:30 file-roller.profile
553 20. Mai 23:55 filezilla.profile
230 20. Mai 23:55 firefox-esr.profile
1819 20. Mai 23:55 firefox.profile
2985 25. Jun 14:30 firejail.config 898 25. Jun 14:30 flashpeak-slimjet.profile
300 25. Jun 14:30 flowblade.profile
544 20. Mai 23:55 fontforge.profile
429 25. Jun 14:30 fossamail.profile
220 20. Mai 23:55 FossaMail.profile
481 25. Jun 14:30 franz.profile
817 25. Jun 14:30 gajim.profile
601 20. Mai 23:55 galculator.profile
543 20. Mai 23:55 geany.profile
621 25. Jun 14:30 gedit.profile
582 25. Jun 14:30 geeqie.profile
36 20. Mai 23:55 gimp-2.8.profile
295 25. Jun 14:30 gimp.profile
418 25. Jun 14:30 git.profile
383 25. Jun 14:30 gitter.profile
833 25. Jun 14:30 gjs.profile
555 20. Mai 23:55 globaltime.profile
653 25. Jun 14:30 gnome-2048.profile
654 25. Jun 14:30 gnome-books.profile
503 25. Jun 14:30 gnome-calculator.profile
431 25. Jun 14:30 gnome-chess.profile
526 25. Jun 14:30 gnome-clocks.profile
499 25. Jun 14:30 gnome-contacts.profile
612 25. Jun 14:30 gnome-documents.profile
543 20. Mai 23:55 gnome-font-viewer.profile
627 25. Jun 14:30 gnome-maps.profile
627 8. Mai 23:07 gnome-maps.profile
329 25. Jun 14:30 gnome-mplayer.profile
552 25. Jun 14:30 gnome-music.profile
663 25. Jun 14:30 gnome-photos.profile
669 25. Jun 14:30 gnome-weather.profile
493 25. Jun 14:30 goobox.profile
704 25. Jun 14:30 google-chrome-beta.profile
670 25. Jun 14:30 google-chrome.profile
76 25. Jun 14:30 google-chrome-stable.profile
732 25. Jun 14:30 google-chrome-unstable.profile
452 25. Jun 14:30 google-play-music-desktop-player.profile
493 25. Jun 14:30 gpa.profile
542 25. Jun 14:30 gpg-agent.profile
530 25. Jun 14:30 gpg.profile
543 25. Jun 14:30 gpicview.profile
458 25. Jun 14:30 gpredict.profile
55 25. Jun 14:30 gtar.profile
370 25. Jun 14:30 gthumb.profile
501 25. Jun 14:30 guayadeque.profile
535 20. Mai 23:55 gucharmap.profile
424 25. Jun 14:30 gwenview.profile
153 25. Jun 14:30 gzip.profile
425 25. Jun 14:30 hedgewars.profile
632 25. Jun 14:30 hexchat.profile
546 25. Jun 14:30 highlight.profile
544 20. Mai 23:55 hugin.profile
1224 25. Jun 14:30 icecat.profile
445 25. Jun 14:30 icedove.profile
99 25. Jun 14:30 iceweasel.profile
508 25. Jun 14:30 img2txt.profile
302 25. Jun 14:30 inkscape.profile
509 25. Jun 14:30 inox.profile
192 25. Jun 14:30 iridium-browser.profile
631 25. Jun 14:30 iridium.profile
479 25. Jun 14:30 jd-gui.profile
479 8. Mai 23:07 jd-gui.profile
326 25. Jun 14:30 jitsi.profile
475 25. Jun 14:30 k3b.profile
475 8. Mai 23:07 k3b.profile
700 25. Jun 14:30 kate.profile
617 20. Mai 23:55 kcalc.profile
219 25. Jun 14:30 keepass2.profile
400 25. Jun 14:30 keepass.profile
630 25. Jun 14:30 keepassx2.profile
630 8. Mai 23:07 keepassx2.profile
673 25. Jun 14:30 keepassxc.profile
673 8. Mai 23:07 keepassxc.profile
427 25. Jun 14:30 keepassx.profile
665 25. Jun 14:30 kino.profile
665 8. Mai 23:07 kino.profile
356 25. Jun 14:30 kmail.profile
356 21. Apr 13:50 kmail.profile
526 20. Mai 23:55 knotes.profile
545 20. Mai 23:55 kodi.profile
288 25. Jun 14:30 konversation.profile
709 20. Mai 23:55 ktorrent.profile
558 20. Mai 23:55 leafpad.profile
122 25. Jun 14:30 less.profile
400 25. Jun 14:30 libreoffice.profile
131 25. Jun 14:30 localc.profile
131 25. Jun 14:30 lodraw.profile
131 25. Jun 14:30 loffice.profile
131 25. Jun 14:30 lofromtemplate.profile
345 25. Jun 14:30 login.users 131 25. Jun 14:30 loimpress.profile
506 25. Jun 14:30 lollypop.profile
506 8. Mai 23:07 lollypop.profile
131 25. Jun 14:30 lomath.profile
131 25. Jun 14:30 loweb.profile
131 25. Jun 14:30 lowriter.profile
349 25. Jun 14:30 luminance-hdr.profile
556 20. Mai 23:55 lximage-qt.profile
579 20. Mai 23:55 lxmusic.profile
263 25. Jun 14:30 lxterminal.profile
533 25. Jun 14:30 lynx.profile
562 20. Mai 23:55 mate-calc.profile
42 20. Mai 23:55 mate-calculator.profile
533 20. Mai 23:55 mate-color-select.profile
579 20. Mai 23:55 mate-dictionary.profile
213 20. Mai 23:55 mathematica.profile
491 25. Jun 14:30 Mathematica.profile
213 8. Mai 23:07 mathematica.profile
387 25. Jun 14:30 mcabber.profile
545 25. Jun 14:30 mediainfo.profile
533 25. Jun 14:30 mediathekview.profile
551 20. Mai 23:55 meld.profile
301 25. Jun 14:30 midori.profile
526 25. Jun 14:30 mousepad.profile
363 25. Jun 14:30 mpv.profile
717 25. Jun 14:30 multimc5.profile
717 8. Mai 23:07 multimc5.profile
734 25. Jun 14:30 mumble.profile
734 8. Mai 23:07 mumble.profile
890 25. Jun 14:30 mupdf.profile
514 25. Jun 14:30 mupen64plus.profile
774 25. Jun 14:30 mutt.profile
859 25. Jun 14:30 nautilus.profile
859 8. Mai 23:07 nautilus.profile
674 20. Mai 23:55 nemo.profile
658 25. Jun 14:30 netsurf.profile
774 25. Jun 14:30 nolocal.net 652 20. Mai 23:55 nylas.profile
554 25. Jun 14:30 odt2txt.profile
542 25. Jun 14:30 okular.profile
284 25. Jun 14:30 openbox.profile
294 25. Jun 14:30 openshot.profile
591 25. Jun 14:30 opera-beta.profile
611 25. Jun 14:30 opera.profile
584 20. Mai 23:55 orage.profile
1601 25. Jun 14:30 palemoon.profile
371 25. Jun 14:30 parole.profile
660 20. Mai 23:55 pcmanfm.profile
439 25. Jun 14:30 pdfsam.profile
439 8. Mai 23:07 pdfsam.profile
541 25. Jun 14:30 pdftotext.profile
363 25. Jun 14:30 pidgin.profile
483 25. Jun 14:30 pithos.profile
483 8. Mai 23:07 pithos.profile
412 25. Jun 14:30 pix.profile
503 25. Jun 14:30 pluma.profile
707 25. Jun 14:30 polari.profile
507 25. Jun 14:30 psi-plus.profile
439 25. Jun 14:30 qbittorrent.profile
452 25. Jun 14:30 qemu-launcher.profile
418 25. Jun 14:30 qemu-system-x86_64.profile
560 20. Mai 23:55 qlipper.profile
405 25. Jun 14:30 qpdfview.profile
448 25. Jun 14:30 qtox.profile
222 25. Jun 14:30 quassel.profile
626 25. Jun 14:30 quiterss.profile
813 25. Jun 14:30 qupzilla.profile
533 25. Jun 14:30 qutebrowser.profile
426 25. Jun 14:30 ranger.profile
353 25. Jun 14:30 rhythmbox.profile
574 20. Mai 23:55 ristretto.profile
360 25. Jun 14:30 rtorrent.profile
885 25. Jun 14:30 scribus.profile
885 8. Mai 23:07 scribus.profile
100 25. Jun 14:30 seamonkey-bin.profile
1293 25. Jun 14:30 seamonkey.profile
355 25. Jun 14:30 server.profile
562 25. Jun 14:30 simple-scan.profile
506 25. Jun 14:30 skanlite.profile
267 25. Jun 14:30 skypeforlinux.profile
243 25. Jun 14:30 skype.profile
624 25. Jun 14:30 slack.profile
349 25. Jun 14:30 snap.profile
131 25. Jun 14:30 soffice.profile
844 25. Jun 14:30 spotify.profile
464 25. Jun 14:30 ssh-agent.profile
287 25. Jun 14:30 ssh.profile
603 25. Jun 14:30 start-tor-browser.profile
386 25. Jun 14:30 steam.profile
546 25. Jun 14:30 stellarium.profile
126 25. Jun 14:30 strings.profile
322 25. Jun 14:30 synfigstudio.profile
301 25. Jun 14:30 tar.profile
62 25. Jun 14:30 telegram.profile
208 20. Mai 23:55 Telegram.profile
62 12. Apr 20:18 telegram.profile
208 8. Mai 23:07 Telegram.profile
37 25. Jun 14:30 thunar.profile
725 20. Mai 23:55 Thunar.profile
540 8. Mai 23:07 Thunar.profile
446 25. Jun 14:30 thunderbird.profile
335 25. Jun 14:30 totem.profile
628 25. Jun 14:30 tracker.profile
618 25. Jun 14:30 transmission-cli.profile
460 25. Jun 14:30 transmission-gtk.profile
457 25. Jun 14:30 transmission-qt.profile
591 25. Jun 14:30 transmission-show.profile
441 25. Jun 14:30 uget-gtk.profile
780 25. Jun 14:30 unbound.profile
235 25. Jun 14:30 unrar.profile
223 25. Jun 14:30 unzip.profile
223 25. Jun 14:30 uudeview.profile
702 25. Jun 14:30 uzbl-browser.profile
609 20. Mai 23:55 viewnior.profile
581 20. Mai 23:55 viking.profile
292 25. Jun 14:30 vim.profile
273 25. Jun 14:30 virtualbox.profile
189 20. Mai 23:55 VirtualBox.profile
69 25. Jun 14:30 vivaldi-beta.profile
540 25. Jun 14:30 vivaldi.profile
534 25. Jun 14:30 vivaldi-stable.profile
398 25. Jun 14:30 vlc.profile
547 25. Jun 14:30 w3m.profile
521 25. Jun 14:30 warzone2100.profile
992 25. Jun 14:30 webserver.net 69 25. Jun 14:30 weechat-curses.profile
408 25. Jun 14:30 weechat.profile
689 25. Jun 14:30 wesnoth.profile
497 25. Jun 14:30 wget.profile
497 8. Mai 23:07 wget.profile
746 25. Jun 14:30 whitelist-common.inc
284 25. Jun 14:30 wine.profile
676 20. Mai 23:55 wire.profile
203 25. Jun 14:30 Wire.profile
609 25. Jun 14:30 wireshark.profile
609 8. Mai 23:07 wireshark.profile
288 25. Jun 14:30 xchat.profile
497 25. Jun 14:30 xed.profile
922 20. Mai 23:55 Xephyr.profile
531 25. Jun 14:30 xfburn.profile
555 20. Mai 23:55 xfce4-dict.profile
657 20. Mai 23:55 xfce4-notes.profile
676 25. Jun 14:30 xiphos.profile
487 25. Jun 14:30 xmms.profile
225 25. Jun 14:30 xonotic-glx.profile
602 25. Jun 14:30 xonotic.profile
602 8. Mai 23:07 xonotic.profile
225 25. Jun 14:30 xonotic-sdl.profile
352 25. Jun 14:30 xpdf.profile
450 25. Jun 14:30 xplayer.profile
512 25. Jun 14:30 xpra.profile
512 8. Mai 23:07 xpra.profile
450 25. Jun 14:30 xreader.profile
1128 20. Mai 23:55 Xvfb.profile
336 25. Jun 14:30 xviewer.profile
154 25. Jun 14:30 xzdec.profile
54 25. Jun 14:30 xz.profile
530 20. Mai 23:55 youtube-dl.profile
393 25. Jun 14:30 zathura.profile
470 25. Jun 14:30 zoom.profile


OK/etc/firejail/firefox.profile (extraction):
...
# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/firefox.local
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
blacklist ~/.config/qpdfview
blacklist ~/.local/share/qpdfview
blacklist ~/.pki
blacklist /usr/bin
blacklist /usr/sbin
blacklist /usr/src
blacklist /opt
blacklist /sbin
blacklist /usr/libexec
blacklist /bin
blacklist /usr/games
blacklist /etc/init.d
blacklist /etc/rc0.d
blacklist /etc/rc1.d
blacklist /etc/rc2.d
blacklist /etc/rc3.d
blacklist /etc/rc4.d
blacklist /etc/rc5.d
blacklist /etc/rc6.d
blacklist /etc/rc.d
blacklist /etc/fstab
blacklist /etc/mtab
blacklist /etc/crypttab
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist /etc/passwd
blacklist /boot
blacklist /usr/local
blacklist ~./kde4
blacklist ~./config
blacklist ~./gconf
blacklist ~./gconfd
blacklist ~./local
blacklist ~./mcop
blacklist ~./pulse-cookie
blacklist ~./thumbnails
blacklist ~./Desktop
blacklist /home/secret
blacklist /home/toranonym
blacklist /media
blacklist /mnt
noblacklist /usr/bin/xargs
noblacklist /usr/bin/xauth
noblacklist /usr/bin/export
noblacklist /usr/bin/firefox
noblacklist /usr/bin/sg
noblacklist /usr/bin/gftp
noblacklist /usr/bin/gftp-gtk
noblacklist /usr/bin/gftp-text
noblacklist /usr/bin/tor
noblacklist /bin/certtool
noblacklist /bin/certutil
noblacklist /bin/basename
noblacklist /bin/bash.old
noblacklist /bin/p11tool
noblacklist /bin/pk12util
noblacklist /bin/smime
noblacklist /bin/shlibsign
noblacklist /bin/signtool
noblacklist /bin/signver
noblacklist /bin/ssltap
read-only /home/surfuser/.mozilla/firefox/default.profile/user.js read-only /home/surfuser/torrc read-only /home/surfuser/.mozilla/firefox/prefs.js #blacklist ~/."moonchild productions" include /etc/firejail/disable-common0.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc OKcaps.drop all
# caps.drop=CAP_AUDIT_CONTROL,CAP_AUDIT_WRITE,CAP_AUDIT_READ
OKipc-namespace
OKnetfilter
OKnogroups
OKnonewprivs
OKnoroot
OKprotocol unix,inet,netlink
OKseccomp
OKshell none
nosound
noautopulse
notv
# tracelog
OKno3d
OKnodbus
OKnodvd
OKnosound
OKnou2f
# ... see firejail --help, BEACHTE: Nicht alle Firejail-Optionen funktionieren für Firefox! mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
mkdir ~/.pki
whitelist ~/.pki
disable-mnt # or use blacklist /mnt and blacklist /media

private-dev # This might not always work with firefox
# experimental features
# private-bin sh,which,env,dbus-send,dbus-launch
# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
private-etc passwd,group,hostname,hosts,resolv.conf,nsswitch.conf,fonts,mailcap,pulse
# private-dev # - prevents video calls going out
private-tmp
noexec DOLLARSIGN{HOME}
noexec /tmp
noexec /tmp2


... or, in order to start konqueror with priority 18 always by mouseclick out of the K-menu, type "sg surfgroup konqueror && renice -n 18 `pidof konqueror` &&kded4" resp. with firejail-options into the command-line, after editing the K-menu with kmenuedit. Konqueror loads websites even with process-priority 18 fabolous fast (its like beaming to visit anything anywhere at once with a Spaceship like Enterprise thanks Spock, as if Google has not been there for a long time...).We also started services like the cookie-management for surfuser named kded4. On our linksites we describe by reports and links more enfastening methods for the browser Firefox.

Notice, that there is a patch for firejail (pclos2017) from year 2017/12 firejail-0.9.52-1.x86_64 making the private-option in all cases really effective. This means for our two examples for firejail for konqueror and firefox better to resign from this option for the first time, until firejail might gets reconfgured. To make firejail already work well without this option, we suggest the following configuration. Also notice, that it won´t fit for all programs (although quit all). In this case, single entries might have to be removed or added to store into new configuration files:

Pale Moon, notice: noscript and RequestBlockPolicyContinned do not block many scripts as they should do!


OK/etc/firejail/palemoon.profile
#### Especially for Pale Moon (browser):

blacklist /mnt
blacklist /media
blacklist /etc/cups
blacklist /usr/local
blacklist /usr/sbin
blacklist /sbin
blacklist /usr/libexec
blacklist /usr/games
blacklist /lib
blacklist /home/toruser
blacklist /home/user
blacklist /opt
blacklist /usr/lib
blacklist /usr/lib/python*
blacklist /usr/lib64/python*
blacklist /usr/lib/perl*
blacklist /usr/lib64/perl*
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist DOLLARSIGN{HOME}/.wine
blacklist DOLLARSIGN{HOME}/.gnupg
ipc-namespace
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
#nogroup
OKshell none
#private-bin which,firefox
private-dev
private-tmp
private-etc passwd,group,hostname,hosts,fonts,nsswitch.conf,xdg,resolv.conf,pango #
#### end Pale Moon (/etc/firejail/palemoon.profile)



OK/etc/firejail/default.profile (preconfigured firejail (fc27, pclos2017, rosa2016.1) from August 2017 can be downloaded from our update section):

################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
#
blacklist DOLLAR{HOME}/.wine
blacklist DOLLAR{HOME}/.gnupg
caps.drop all
# netfilter
nonewprivs
noroot
protocol unix,inet,inet6
# seccomp

OKshell none # this is very important and suitable for many profiles, even konqueror, kmail and thunderbird, but not all profiles: also notice our comments about /etc/passwd


/etc/firejail/disable-common.inc of firejail (rosa2014.1), alternatively set ACL-rules (setfacl):

OKnoexec /usr/bin/bash # for some profiles like for Konqueror
noexec /bin/bash
# History files in HOME
blacklist-nolog DOLLAR{HOME}/.history
blacklist-nolog {HOME}/.*_history
blacklist {HOME}/.local/share/systemd
blacklist-nolog {HOME}/.adobe
blacklist-nolog {HOME}/.macromedia
read-only {HOME}/.local/share/applications

# X11 session autostart and more
blacklist DOLLAR{HOME}/Desktop
blacklist {HOME}/*.jar
blacklist {HOME}/logs
blacklist {HOME}/tor-browser
blacklist {HOME}/.xinitrc
blacklist {HOME}/.xprofile
blacklist {HOME}/.config/autostart
blacklist /etc/xdg/autostart
blacklist {HOME}/.kde4/Autostart
blacklist {HOME}/.kde4/share/autostart
blacklist {HOME}/.kde/Autostart
blacklist {HOME}/.kde/share/autostart
blacklist {HOME}/.config/plasma-workspace/shutdown
blacklist {HOME}/.config/plasma-workspace/env
blacklist {HOME}/.config/lxsession/LXDE/autostart
blacklist {HOME}/.fluxbox/startup
blacklist {HOME}/.config/openbox/autostart
blacklist {HOME}/.config/openbox/environment
blacklist {HOME}/.gnomerc
read-only /etc
read-only /bin
read-only /usr/bin
read-only /usr/etc
read-only /proc
read-only /sys
read-only /dev
blacklist /etc/X11/Xsession.d/
blacklist /media/ # USB-Sticks / USB-Speicherstifte
blacklist /media/sicher/
blacklist /mnt
blacklist /opt
blacklist /misc
blacklist /secoff
blacklist /sid-root
blacklist /lost+found
blacklist /smack
blacklist /srv
blacklist /net
blacklist /initrd
blacklist /intel-ucode
blacklist /boot-save
blacklist /boot
blacklist /cgroup
blacklist /root
read-only /lib
read-only /lib64
read-only /usr/lib
read-only /usr/lib64 # Firefox: "read-only /usr/lib64/lib*" or read-only /usr/lib64/a*, ..., read-only /usr/lib64/z* without the firefox-directory
read-only /usr/lib64/kde4
blacklist /usr/local
blacklist /usr/bin/ssh*
blacklist /usr/src
read-only /usr/bin/firejail
read-only /usr/ssl
read-only /usr/libexec
read-only /usr/uclibc
read-only /usr/X11R6
read-only /usr/x86_64-linux-uclibc
read-only /usr/etc
read-only /usr/com
read-only /usr/docs
read-only /usr/enthought
read-only /usr/GNUstep
read-only /usr/selenium
read-only /usr/man
read-only /usr/mipsel-linux
read-only /usr/i686-w64-mingw32
read-only /usr/i486-linux-libc5
blacklist /bin/kill
blacklist /bin/rm
blacklist /bin/ping
blacklist /bin/mount*
blacklist /bin/umount*
blacklist /bin/ls*
blacklist /bin/sed*
blacklist /bin/rpm
blacklist /bin/pipeline
blacklist /bin/mv
blacklist /bin/cp
blacklist /bin/csh
blacklist /bin/dd
blacklist /bin/chmod
blacklist /bin/chown
blacklist /bin/dash
blacklist /bin/df
blacklist /bin/dmesg
blacklist /bin/ed
blacklist /bin/find
blacklist /bin/grep
blacklist /bin/exec
blacklist /bin/gunzip
blacklist /bin/gzip
blacklist /bin/gzexe
blacklist /bin/ln
blacklist /bin/login
blacklist /bin/lsblk
blacklist /bin/mail
blacklist /bin/mailx
blacklist /bin/mkdir
blacklist /bin/mksh
blacklist /bin/mknod
blacklist /bin/netstat
# blacklist /bin/ps
blacklist /bin/pwd
blacklist /bin/pipeline
blacklist /bin/rmdir
blacklist /bin/tcsh
blacklist /bin/touch
blacklist /bin/vi
blacklist /bin/zsh
blacklist /bin/tar
blacklist /bin/zless
blacklist /bin/zmore
blacklist /bin/more
blacklist /bin/date
blacklist /bin/dmesg
blacklist /bin/ash
blacklist /bin/awk
blacklist /bin/cg*
blacklist /bin/cd
blacklist /bin/bashb*
blacklist /bin/cat
blacklist /bin/env
blacklist /bin/get*
blacklist /bin/for*
blacklist /bin/homeof
blacklist /bin/foreground
blacklist /usr/bin/rpm*
blacklist /usr/bin/srm
blacklist /usr/bin/shred
blacklist /usr/bin/wipe
blacklist /usr/bin/mount*
blacklist /usr/bin/umount*
blacklist /usr/bin/mouse*
blacklist /usr/bin/ls*
# blacklist /usr/bin/r*
# blacklist /usr/bin/a*
# blacklist /usr/bin/c*
# blacklist /usr/bin/e*
# blacklist /usr/bin/f*
# blacklist /usr/bin/h*
# blacklist /usr/bin/i*
# blacklist /usr/bin/j*
# blacklist /usr/bin/perl*
# blacklist /usr/bin/s*
# blacklist /usr/bin/t*
# blacklist /usr/bin/u*
# blacklist /usr/bin/v*
# blacklist /usr/bin/w*
# blacklist /usr/bin/x*
# blacklist /usr/bin/y*
# blacklist /usr/bin/z*
blacklist /usr/libexec/mysql*
blacklist /usr/bin/mysql*
blacklist /usr/share/autostart
read-only /usr/share/cups
read-only /usr/share/cups/model
blacklist /usr/share/doc
blacklist /var/www
blacklist /var/www/html

# VirtualBox blacklist DOLLAR{HOME}/.VirtualBox
blacklist DOLLAR{HOME}/VirtualBox VMs
blacklist DOLLAR{HOME}/.config/VirtualBox

# VeraCrypt
blacklist DOLLAR{PATH}/veracrypt
blacklist DOLLAR{PATH}/veracrypt-uninstall.sh
blacklist /usr/share/veracrypt
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist DOLLAR{HOME}/.VeraCrypt

# var
blacklist /var/spool/cron
blacklist /var/spool/anacron
blacklist /var/run/acpid.socket
blacklist /var/run/minissdpd.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/mysql/mysql.sock
blacklist /var/run/docker.sock

# etc
blacklist /etc/cron.*
blacklist /etc/profile.d
blacklist /etc/rc.local
blacklist /etc/anacrontab
blacklist /etc/rpc*
blacklist /etc/rpm*
blacklist /etc/rc*
blacklist /etc/init.d
read-only /etc/printcap
blacklist /etc/pmount*
read-only /etc/PolicyKit
read-only /etc/php.ini
read-only /etc/passwd
read-only /etc/paper*
blacklist /etc/mpasswd
blacklist /etc/modprobe*
blacklist /etc/mke2fs*
blacklist /etc/libuser.conf
blacklist /etc/libvirt
blacklist /etc/ld.so*
read-only /etc/kde
blacklist /etc/init*
blacklist /etc/incron*
blacklist /etc/resolv.conf
blacklist /etc/host*
blacklist /etc/gshadow*
blacklist /etc/fstab*
blacklist /etc/freshclam*
blacklist /etc/dracut*
read-only /etc/Dir_COLORS*
blacklist /etc/dhcp*
read-only /etc/cups
blacklist /etc/crypttab*
blacklist /etc/cron*
blacklist /etc/csh*
blacklist /etc/cvs*
blacklist /etc/cpu*
blacklist /etc/conntrackd.conf
blacklist /etc/color*
blacklist /etc/cloud
blacklist /etc/clam*
blacklist /etc/chrony*
blacklist /etc/chilli*
read-only /etc/bash*
blacklist /etc/at
blacklist /etc/asound*
blacklist /etc/aide*

# General startup files
read-only DOLLAR{HOME}/.xinitrc
read-only DOLLAR{HOME}/.xserverrc
read-only DOLLAR{HOME}/.profile

# Shell startup files
read-only DOLLAR{HOME}/.antigen
read-only DOLLAR{HOME}/.bash_login
read-only DOLLAR{HOME}/.bashrc
read-only DOLLAR{HOME}/.bash_profile
read-only DOLLAR{HOME}/.bash_logout
read-only DOLLAR{HOME}/.zsh.d
read-only DOLLAR{HOME}/.zshenv
read-only DOLLAR{HOME}/.zshrc
read-only DOLLAR{HOME}/.zshrc.local
read-only DOLLAR{HOME}/.zlogin
read-only DOLLAR{HOME}/.zprofile
read-only DOLLAR{HOME}/.zlogout
read-only DOLLAR{HOME}/.zsh_files
read-only DOLLAR{HOME}/.tcshrc
read-only DOLLAR{HOME}/.cshrc
read-only DOLLAR{HOME}/.csh_files
read-only DOLLAR{HOME}/.profile
read-only DOLLAR{HOME}/.gnugp*
read-only DOLLAR{HOME}/gnupg

# Initialization files that allow arbitrary command execution
read-only DOLLAR{HOME}/.caffrc
read-only DOLLAR{HOME}/.dotfiles
read-only DOLLAR{HOME}/dotfiles
read-only DOLLAR{HOME}/.mailcap
read-only DOLLAR{HOME}/.exrc
read-only DOLLAR{HOME}/_exrc
read-only DOLLAR{HOME}/.vimrc
read-only DOLLAR{HOME}/_vimrc
read-only DOLLAR{HOME}/.gvimrc
read-only DOLLAR{HOME}/_gvimrc
read-only DOLLAR{HOME}/.vim
read-only DOLLAR{HOME}/.emacs read-only DOLLAR{HOME}/.emacs.d

read-only DOLLAR{HOME}/.nano
read-only DOLLAR{HOME}/.tmux.conf
read-only DOLLAR{HOME}/.iscreenrc
read-only DOLLAR{HOME}/.muttrc
read-only DOLLAR{HOME}/.mutt/muttrc
read-only DOLLAR{HOME}/.msmtprc
read-only DOLLAR{HOME}/.reportbugrc
read-only DOLLAR{HOME}/.xmonad
read-only DOLLAR{HOME}/.xscreensaver
read-only /etc/X11
# The user ~/bin directory can override commands such as ls
read-only DOLLAR{HOME}/bin
# top user
blacklist DOLLAR{HOME}/.ssh
blacklist DOLLAR{HOME}/.cert
blacklist DOLLAR{HOME}/.gnome2/keyrings
blacklist DOLLAR{HOME}/.kde4/share/apps/kwallet
blacklist DOLLAR{HOME}/.kde/share/apps/kwallet
blacklist DOLLAR{HOME}/.local/share/kwalletd
blacklist DOLLAR{HOME}/.config/keybase
blacklist DOLLAR{HOME}/.netrc
blacklist DOLLAR{HOME}/.gnupg
blacklist DOLLAR{HOME}/.caff
blacklist DOLLAR{HOME}/.smbcredentials
blacklist DOLLAR{HOME}/*.kdbx
blacklist DOLLAR{HOME}/*.kdb
blacklist DOLLAR{HOME}/*.key
blacklist DOLLAR{HOME}/.muttrc
blacklist DOLLAR{HOME}/.mutt/muttrc
blacklist DOLLAR{HOME}/.msmtprc
blacklist /home/surfuser/.gnupg
blacklist /etc/shadow
blacklist /etc/gshadow
# blacklist /etc/passwd
blacklist /etc/passwd-
blacklist /etc/group-
blacklist /etc/shadow-
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/group+
blacklist /etc/shadow+
blacklist /etc/gshadow+
blacklist /etc/ssh
blacklist /var/backup

# system management
blacklist DOLLAR{PATH}/umount
blacklist DOLLAR{PATH}/mount
blacklist DOLLAR{PATH}/fusermount
blacklist DOLLAR{PATH}/su
blacklist DOLLAR{PATH}/sudo
blacklist DOLLAR{PATH}/xinput
blacklist DOLLAR{PATH}/evtest
blacklist DOLLAR{PATH}/xev
blacklist DOLLAR{PATH}/strace
blacklist DOLLAR{PATH}/nc
blacklist DOLLAR{PATH}/ncat

# system directories
blacklist /sbin
blacklist /usr/sbin
blacklist /usr/local/sbin

# prevent lxterminal connecting to an existing lxterminal session
blacklist /tmp/.lxterminal-socket*

# disable terminals running as server resulting in sandbox escape
blacklist DOLLAR{PATH}/gnome-terminal
blacklist DOLLAR{PATH}/gnome-terminal.wrapper
blacklist DOLLAR{PATH}/xfce4-terminal
blacklist DOLLAR{PATH}/xfce4-terminal.wrapper
blacklist DOLLAR{PATH}/mate-terminal
blacklist DOLLAR{PATH}/mate-terminal.wrapper
blacklist DOLLAR{PATH}/lilyterm
blacklist DOLLAR{PATH}/pantheon-terminal
blacklist DOLLAR{PATH}/roxterm
blacklist DOLLAR{PATH}/roxterm-config
blacklist DOLLAR{PATH}/terminix
blacklist DOLLAR{PATH}/urxvtc
blacklist DOLLAR{PATH}/urxvtcd
blacklist DOLLAR{PATH}/xterm
blacklist DOLLAR{PATH}/konsole
blacklist DOLLAR{PATH}/rxvt
blacklist DOLLAR{PATH}/lxterminal
read-only /etc/firejail
blacklist /usr/bin/ssh*
blacklist /usr/bin/rlogin*
blacklist DOLLAR{HOME}/.gftp/cache
blacklist DOLLAR{HOME}/Dokumente
blacklist DOLLAR{HOME}/Video
blacklist DOLLAR{HOME}/Bilder
blacklist DOLLAR{HOME}/Audio
blacklist DOLLAR{HOME}/Texte


Now start Pale Moon (similar Firefox with default.profile instead of palemoon.profile):

knemo && sg surgruppe "unshare firejail --nice=19 --profile=/etc/firejail/palemoon.profile /usr/lib64/palemoon/palemoon --no-remote &" && sg surfgruppe "tor -f /etc/tor/torrc&quto; && export RESOLV_HOST_CONF="/etc/hosts"


It is possible to enter this command-line into a startup under "command." to start Pale Moon by one mouseclick only.

Small disadvantage: Process firejail for the browser has to be killed, before any package-installations are possible. Generally all processed started by the user surfuser can be terminated through the command "killall -u surfuser", as dnsmasq might run under surfuser at least by the command "killall firejail" from time to time, before too many firejail are running, so that all still running firejail-processes terminate. It is recommended to create a small entry with user root in the K-Menu and/or the same entry for the task line.

OKGeneral chroot and suid paranoia
chroot is one of the most powerful possibilities to restrict a daemon or a user or another service. Just imagine a jail around your target, which the target cannot escape from (normally, but there are still a lot of conditions that allow one to escape out of such a jail). You can eventually create a modified root environment for the user or service you do not trust. This can use quite a bit of disk space as you need to copy all needed executables, as well as libraries, into the jail. But then, even if the user does something malicious, the scope of the damage is limited to the jail.
Many services running as daemons could benefit from this sort of arrangement. The daemons that you install with your Debian distribution will not come, however, chrooted per default.
This includes: name servers (such as bind), web servers (such as apache), mail servers (such as sendmail) and ftp servers (such as wu-ftpd). It is probably fair to say that the complexity of BIND is the reason why it has been exposed to a lot of attacks in recent years (see Securing BIND, Section 5.7).
However, Debian does provide some software that can help set up chroot environments. See Making chrooted environments automatically (depicted in the following).
Anyway, if you run any service on your system, you should consider running them as secure as possible. This includes: revoking root privileges, running in a restricted environment (such as a chroot jail) or replacing them with a more secure equivalent.
However, be forewarned that a chroot jail can be broken if the user running in it is the superuser. So, you need to make the service run as a non-privileged user. By limiting its environment you are limiting the world readable/executable files the service can access, thus, you limit the possibilities of a privilege escalation by use of local system security vulnerabilities. Even in this situation you cannot be completely sure that there is no way for a clever attacker to somehow break out of the jail. Using only server programs which have a reputation for being secure is a good additional safety measure. Even minuscule holes like open file handles can be used by a skilled attacker for breaking into the system. After all, chroot was not designed as a security tool but as a testing tool.
Making chrooted environments automatically
There are several programs to chroot automatically servers and services. Debian currently (accepted in May 2002) provides Wietse Venema´s chrootuid in the chrootuid package, as well as compartment and makejail. These programs can be used to set up a restricted environment for executing any program (chrootuid enables you to even run it as a restricted user).
Some of these tools can be used to set up the chroot environment easily. The makejail program for example, can create and update a chroot jail with short configuration files (it provides sample configuration files for bind, apache, postgresql and mysql). It attempts to guess and install into the jail all files required by the daemon using strace, stat and Debian´s package dependencies. More information at http://www.floc.net/makejail/. Jailer is a similar tool which can be retrieved from http://www.balabit.hu/downloads/jailer/ and is also available as a Debian package.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-chroot

But back to our text about LINFW3: Notice, that the NEW-LINE-BLOCK-only of Linfw3 prevents form all hacker except on established connections opened by the surfer, but not from any backdoors resp. trojans! Always try to use the NEW-LINE-BLOCK with the UID-( and/or GID-)owner-concept for surfuser and surfgroup together with the port-concept, while updates can be performed in the same way by root as the surfuser (and/or surfgroup)! Both, ALLOW-ROOT_LOGIN and ROOT_LOGIN shall be set to "no" and all access-rights upon directories and files set adequately. The computer-system will almost get serious hard hacked, if all this is not regarded!

mouseclick-fast work with the computer also has no chance to take into negative effect by following the methods of our excurs. For an always good and fast mount and umount of the USB-stick, actualize the filesystems to reisferfsprogs-3.6.24, e2fsprogs (1.43.2 from September 2016) resp. btrfs and manage the integration of the module usb_storage by modprobe. This module guarantees the fast secure mount and secure unmount of usb-media. To integrate it permanently for mdv2010 and other Linux, type into file /etc/modprobe.preload. If command chattr should keep its function instead, do not update the filesystem for loosing some kind of "id for owner-rights" But in this case, not much gets restricted, if chattr was not used before.

Our extra security-tip: Always click onto networkmanager-applet´s (el6), "exit" after the first dial-in into resp. after building up the first connection to the internet!

MAC Tomoyo profiles: /etc/tomoyo/*, kernel-boot-options security=tomoyo tomoyo=1.

OK # apparmor: application MAC-protection-shield and MAC-kernel-security-module to load within /boot/grub/menu.lst (grub1) by option security=apparmor apparmor=1
# dbus-apparmor&# within /etc/rc.local
# /usr/lib64/apparmorapplet&# /etc/rc.local
# example: apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.firefox &&/usr/bin/firefox # ( resp., still in order not to resign from firejail as introduced: ...&&sg surfgroup "firejail --profile=/etc/firejail/firefox-esr.profile /usr/bin/firefox" )
# /etc/apparmor/profiles/extras/* :
885 23. Jul 15:03 bin.netstat
1247 23. Jul 15:03 etc.cron.daily.logrotate
955 23. Jul 15:03 etc.cron.daily.slocate.cron
729 23. Jul 15:03 etc.cron.daily.tmpwatch
1733 23. Jul 15:03 README
1934 23. Jul 15:03 sbin.dhclient
1297 23. Jul 15:03 sbin.dhcpcd
682 23. Jul 15:03 sbin.portmap
855 23. Jul 15:03 sbin.resmgrd
489 23. Jul 15:03 sbin.rpc.lockd
1010 23. Jul 15:03 sbin.rpc.statd
1655 23. Jul 15:03 usr.bin.acroread
791 23. Jul 15:03 usr.bin.apropos
4569 23. Jul 15:03 usr.bin.evolution-2.10
697 23. Jul 15:03 usr.bin.fam
750 23. Jul 15:03 usr.bin.freshclam
1918 23. Jul 15:03 usr.bin.gaim
595 23. Jul 15:03 usr.bin.man
618 23. Jul 15:03 usr.bin.mlmmj-bounce
1041 23. Jul 15:03 usr.bin.mlmmj-maintd
1096 23. Jul 15:03 usr.bin.mlmmj-make-ml.sh
884 23. Jul 15:03 usr.bin.mlmmj-process
587 23. Jul 15:03 usr.bin.mlmmj-recieve
766 23. Jul 15:03 usr.bin.mlmmj-send
821 23. Jul 15:03 usr.bin.mlmmj-sub
803 23. Jul 15:03 usr.bin.mlmmj-unsub
2017 23. Jul 15:03 usr.bin.opera
1003 23. Jul 15:03 usr.bin.passwd
1025 23. Jul 15:03 usr.bin.procmail
1132 23. Jul 15:03 usr.bin.skype
580 23. Jul 15:03 usr.bin.spamc
904 23. Jul 15:03 usr.bin.svnserve
1185 23. Jul 15:03 usr.bin.wireshark
674 23. Jul 15:03 usr.bin.xfs
1022 23. Jul 15:03 usr.lib64.GConf.2.gconfd-2
857 23. Jul 15:03 usr.lib.bonobo.bonobo-activation-server
1258 23. Jul 15:03 usr.lib.evolution-data-server.evolution-data-server-1.10
1604 23. Jul 15:03 usr.lib.firefox.firefox
386 23. Jul 15:03 usr.lib.firefox.firefox.sh
654 23. Jul 15:03 usr.lib.firefox.mozilla-xremote-client
1018 23. Jul 15:03 usr.lib.GConf.2.gconfd-2
1230 23. Jul 15:03 usr.lib.man-db.man
889 23. Jul 15:03 usr.lib.postfix.anvil
2101 23. Jul 15:03 usr.lib.postfix.bounce
1269 23. Jul 15:03 usr.lib.postfix.cleanup
530 23. Jul 15:03 usr.lib.postfix.discard
626 23. Jul 15:03 usr.lib.postfix.error
1701 23. Jul 15:03 usr.lib.postfix.flush
624 23. Jul 15:03 usr.lib.postfix.lmtp
1839 23. Jul 15:03 usr.lib.postfix.local
1887 23. Jul 15:03 usr.lib.postfix.master
2443 23. Jul 15:03 usr.lib.postfix.nqmgr
607 23. Jul 15:03 usr.lib.postfix.oqmgr
859 23. Jul 15:03 usr.lib.postfix.pickup
497 23. Jul 15:03 usr.lib.postfix.pipe
709 23. Jul 15:03 usr.lib.postfix.proxymap
2464 23. Jul 15:03 usr.lib.postfix.qmgr
626 23. Jul 15:03 usr.lib.postfix.qmqpd
670 23. Jul 15:03 usr.lib.postfix.scache
2260 23. Jul 15:03 usr.lib.postfix.showq
1842 23. Jul 15:03 usr.lib.postfix.smtp
2120 23. Jul 15:03 usr.lib.postfix.smtpd
626 23. Jul 15:03 usr.lib.postfix.spawn
791 23. Jul 15:03 usr.lib.postfix.tlsmgr
904 23. Jul 15:03 usr.lib.postfix.trivial-rewrite
628 23. Jul 15:03 usr.lib.postfix.verify
788 23. Jul 15:03 usr.lib.postfix.virtual
1339 23. Jul 15:03 usr.lib.RealPlayer10.realplay
1074 23. Jul 15:03 usr.NX.bin.nxclient
1120 23. Jul 15:03 usr.sbin.cupsd
864 23. Jul 15:03 usr.sbin.dhcpd
6148 23. Jul 15:03 usr.sbin.httpd2-prefork
818 23. Jul 15:03 usr.sbin.imapd
652 23. Jul 15:03 usr.sbin.in.fingerd
1279 23. Jul 15:03 usr.sbin.in.ftpd
590 23. Jul 15:03 usr.sbin.in.ntalkd
825 23. Jul 15:03 usr.sbin.ipop2d
825 23. Jul 15:03 usr.sbin.ipop3d
1365 23. Jul 15:03 usr.sbin.lighttpd
756 23. Jul 15:03 usr.sbin.mysqld
920 23. Jul 15:03 usr.sbin.nmbd
830 23. Jul 15:03 usr.sbin.oidentd
735 23. Jul 15:03 usr.sbin.popper
1331 23. Jul 15:03 usr.sbin.postalias
1017 23. Jul 15:03 usr.sbin.postdrop
829 23. Jul 15:03 usr.sbin.postmap
1091 23. Jul 15:03 usr.sbin.postqueue
3435 23. Jul 15:03 usr.sbin.sendmail
2061 23. Jul 15:03 usr.sbin.sendmail.postfix
1564 23. Jul 15:03 usr.sbin.sendmail.sendmail
946 25. Mai 2012 usr.sbin.slapd
1140 23. Jul 15:03 usr.sbin.smbd
1068 23. Jul 15:03 usr.sbin.spamd
1686 23. Jul 15:03 usr.sbin.squid
3691 23. Jul 15:03 usr.sbin.sshd
1310 23. Jul 15:03 usr.sbin.useradd
1344 23. Jul 15:03 usr.sbin.userdel
1073 23. Jul 15:03 usr.sbin.vsftpd
2413 23. Jul 15:03 usr.sbin.xinetd


usb_storage


We never got any delays during the secure umount of USB-sticks anymore.

mdv2010 mouseclick-fast: Linux runs faster than Windows: mouseclick-fast mdv2010 on SSD. The code of Linux seems to be architectured and optimized well. Nevertheless even Linux can run slow too. Before we ask us, how this can happen and which software to install, we are interested in cpu and RAM killing daemons to deinstall resp. remove from harddisc. That are processes running in the background, for what we need a good process-manager indicating resource-consumption in percent. Therefore we have to start programs like ptree, "ps -All", Systemüberwachung or just by pressing the keys "ESC" and "STRG". In our case packagekit with an enormous consumption of around always 40% was found out to install him for el6, same for nspluginwrapper, leading us to set chmod 000 /usr/bin/nspluginscan. Think about kio_thumbnail, that gets started sometimes for creating symbols within the filemanager for certain files, in dolphin depending on the configuration for preview. The capacities reducing process named "prelinking" should almost be tolerated instead:

"prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way, that the time needed for the dynamic linker to perform relocations at startup significantly decreases. Due to fewer relocations, the run-time memory consumption decreases as well (especially the number of unshareable pages). The prelinking information is only used at startup time if none of the dependent libraries have changed since prelinking; otherwise programs are relocated normally."

Depending on configuration in MCC-security, msec_find checks periodically, during the boot or never. In MCC, security, periodical checks you can set many msec-checks from daily to weekly, even better to "manual", if your mainboard does not have more than one #SMP (CPU). After surfing as surfuser or other communications within the net, all processes started by surfuser should be killed again: killall -u surfuser. See our data-sheed: With our decision for mdv2010 and a SSD this aim got reached once more. Also beware the recommended frequency for the RAM-Modules mentioned in the manual the mainboard not to plug in one of a lower frequency. Then all went mouseclick fast already by the mainboard model DDR2 533 Mhz (or higher) 19W, that is recommended in the data sheed below. We already got 533Mhz-nonames assembled in Germany - for free before ... working fine (in spite of DDR2 Kingston 1GB 333 Mhz)! Do not forget: The computer-system with SSD is running once more mouseclick fast, if hdparm (omv2015, rosa2014.1, el7, el6) and sdparm (omv2015, rosa2014.1, el7, el6) is installed.


SSD resp. HDD capacity used <=80%


Boot-problems, do you have any problems during the booting? Just press the key for "i" for the interactive mode past the short message with udev. Now, by dialogs, it is possible to start each process manually or to resign from a process during the booting. On problems with the X-Server (graphic-card driver), start all processes except the display manager named "dm". On runlevel four less then five the terminal helps to enter all kind of commands to do the next things (like reinstalling the device driver or downgrading the X-Server from mdv2010.2 to mdv2010.0 by rpm again). Be careful with the installation of further kernel, as some links in /boot (boot-partition) can mismatch refering to the settings in /boot/grub/menu.lst. Then you have to relink them by ";ln -sf TARGET linkfile" by booting with a repair-CD, a repair-USB-stick or a backuped, mirrored media (we do recommend anyway), in order to mount the boot-partition.

SSD-harddiscs are even better than the manufacturer do specify
publised article from 18. Juni 2014, 08:38 from admin, http://www.ahrens.de/ssd-festplatten-sind-noch-besser-als-die-hersteller-angeben/24906
SSDs are the better replacement for magnetic harddrives, for there do not consist of any mobile parts and hence they are up to 100 × faster during reads and 20 × durings writes and they seemed to be work quit endless. Test show, that they do not only work superfast, but also endure ten times longer as their manunfacturer promise. You can read the explicit test report on Golem.

Online update sources: http://fr2.rpmfind.net (FTP-downloads, here for el6, el7, mdv and mga) and http//pkgs.org (http-downloads for el6, el7, fc down to fc xx, mga down to mga xx), http://rpm.pbone.net/ (http- and ftp-downloads, el6, el7, all popular distros and versions)

The many security-checks within MCC, especially sectools, should be set from "daily", "monthly" and so on to "manually", in order to prevent irritating backgroud-processes.

MCC gives the opportunity in Network->,Network-Center to enable and disable tcp-timestamp, tcp-windows-scaling and dynamic IPv6. IPv6 uses static IP, so latter disabling is recommended.

29. October 2014, 08:49 Uhr, heise open
"The CentOS-team has released Version 6.6 of their Linux-distribution. It sources in Red Hat Enterprise Linux (RHEL) with the same version number Red Hat published two weeks ago. Therefore the new CentOS includes all improvements, under it a plenty of new and actualized driver, a device-mapper-target for the mount of a SSD as a cache for slow storage-media and the intergration of the High Performance Networking (HPN) that was costly up to now. You can get CentOS for free. It promises compatiblity to many distributions and is going to be fostered for a long time. Therefore the already some years old CentOS 6 can be updated by security updates until the 30 of november 2026. Scientificlinux alias CentOS 6.7 is the second clone of RHEL 6.6, for Oracle has released the also cloned from this Oracle Linux 6.6 some days ago."

We found many packages by name already in SuSE 7.3 from year 2003 and Mandrake mdk10.0 from year 2004. The code of their includes must be read out well and better each day. Actual Gentoo-GLSA provides one of the best overview of updates for Linux: https://security.gentoo.org/glsa/, descended ordered by time. Typical cases for updates refer to arbitrary code execution, multiple vulnerabilities (especially buffer overflow), denial of service and information disclosure.In order to make the installation of listed updates possible, glibc has to be actualized. Not all updates from the listed ones like cpio should be installed, while those for tar, bzip, freetype rpm, openssl (tarball) and many other ones do function. Try the belonging tarballs or downgrade again, if not. Notice, that updates provided for the distribution, except named exceptions below, are almost sufficient, for mdv2010.1 and mdv2010.2 you can find them on ftp://fr2.rpmfind.net/linux/Mandriva/official/2010.1/x86_64/media/contrib/updates. fr2.rpmfind.net is a good installation and update source for most linux distribution except Debian (with its own deb-packages). Before a computer system gets updated, it always should be secured completely! For detailed troubleshooting, cases we did not have with mdv2010, sources out of the internet and newsgroup alt.linux.suse might be helpfuf too.

Linux permanently gets functional extended and therefore also the applications and libraries. Packet-Versions change as the distribution its version (by their own version-numbers) do. In order to make a distribution error-free like in our example mdv2010, use a linux-friendly mainboard and install only those packets (and tarballs), that are belonging to the same installed version of a most complex distribution past 2003. In our example they are always ending with "...mdv2010". Pakets of next higher versions like mdv2011 should interest only after upgrading the glibc adequately or experimental. Nevertheless, also think of all the updates referring to the same distribution and its version, marked by name ending with "...version[distributionversion).update-number". To find such packages, take the installation-DVD/CD and make queries for rpmfind.net resp. mirror fr2.rpmfind.net. There, in the resulting listings, all packages are named explicitly in that way, that means by belonging distribution and version, but this might be the exception For mdv2010 a kernel-upgrade to mdv2012 by rpm-packages is possible. We do not recommend to change the distribution from mandriva to any other except many packages from Scientificlinux resp. ALT Linux resp. CentOS 6.7.

Does mdv2010 meet Fedora, actual fc23? Although mdv2010.1 and especially 2010.2 do not need any updates, you can upgrade mdv2010 to any actual linux, by installing the downward compatible C-standard-library glibc of rosa2014.1, mdv2012 or mga3 without rpm glibc itself out of glib2.0-common (fastest: actual pateched el6 or the sixtimes patched one from rosa2014.1 or mga3), glibc (el8, pclos, mga7, mga5, rosa2014.1), glibc-utils (el8, mga7, mga5, el6, rosa2014.1 or mga3), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8) glibc-profile (mga7, mga5, rosa2014.1 or mga3), glibc-static (el6) or glibc-static-devel (rosa2014.1, mga3), glibc-devel (rosa2014.1 or mga3), glibc-i18ndata (mga7, mga5, rosa2014.1 or mga3), glibc_lsb (mga3), libc6, mm-common (mga3), lib64glimm2 (mdv2010), gettext (rosa2014.1 or mga3), lib64gettext-misc (rosa2014.1), lib64gettextpo0 (rosa2014.1), lib64intl8 (rosa2014.1), lib64png16 (rosa2014.1), glib-networking (el6), lib64nspr4, lib64nss3, locales (rosa2014.1 or mga3), locales-en, locales-de, locales-fr, locales.jp and further more locales and the C++-standard-library stdcc++, all for x86_64 and i586, by ";rpm -U --force --nodeps". For glibc DO NOT INSTALL MORE mga3 OR mdv2012 than the listed ones! Now the hugh gate to any ultimative-mouseclick-fast working linux world on SSD, even actual linux like today´s Fedora core 24, has opened for largest amount of software ever (even if not all of it)! You can upgrade and downgrade like by "elevators" reaching floors of distros and versions provided by listings from fr2.rpmfind.net. Warning: This does not function with all glibc without needing many other packages! You do not need them anymore. We repeat that software should do its function, while the rest is almost made secure by our excurs. After that we might install an actual version of the filesytem like e2fsprogs (1.43.2), reiserfsprogs (omv2015, mdv2011 or el7, el6), btrfsprogs and many updates recommended by Gentoo-GLSA, url see below. At last for our Linux-tuning, following the new filesystem-rpm, copy all files of /lib to /usr/lib, /lib64/* to /usr/lib64, /bin/* to /usr/bin, /sbin/* to /usr/sbin. After all the operations upon glibc, Linux is not able to run faster in future.

glibc (el8, pclos, mga7, mga5, rosa, mga3, mdv2012) complete for x86_64 (64 bit cpu), analogous i586 (32 bit), without making any problems: glibc (mga7, mga5), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), glibc-devel, libc6, glibc-i18ndata (mga7, mga5), glibc-profile (mga7, mga5), glibc-utils (mga7, mga5), glibc_lsb, gettext, locales, locales-en, locales-de, ..., gettext-base, lib64gettext-misc, lib64gettext-po0, lib64intl8, lib64png16, glib-gettextsize, glib-networking, glib2.0-common, lib64gio2, lib64glib-networking, lib64glib2.0, lib64glib2.0-devel, lib64glibmm2, lib64gmodule2, lib64gobject2, lib64ffi6, lib64gthread2, lib64stdc++, lib64QtGlib2.0, lib64packagekit-glib2 and prelink or glib2 (el7 or el6 instead of lib64gthread2 (rosa2014.1), lib64gio2 (rosa2014.1) and lib64gobject2 (rosa2014.1), we installed this one for this is el6 )

In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.

We decided us for the following GNU C Standard Library glibc:

glibc (el8, pclos, mga7, mga5, rosa2014.1), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), libc6 (rosa2014.1), compat-glibc (el6), glibc-common (el6), glibc-i18ndata (mga7, mga5, rosa2014.1), glibc-headers (el8, el6), glibc-static (el6), glibc-utils (mga7, mga5, el6), glibc-profile (mga7, mga5, rosa2014.1), glibc-glibc_lsb (rosa2014.1), locales (rosa2014.1), glib2 (el6), prelink (rosa2014.1), lib64stdc++ (fc, pclos, mga, rosa2014.1 und el6) oder auch alles mga7, mga5 oder rosa2014.1

Paket-manager drakrpm offers the option named like "store in cache" in the menu for the seldom cases, where dependencies of packages are not solved correctly. Whenever this happens, downloaded packages should be copied from /var/cache/urpmi/rpm resp. /var/cache/urpmi/partial to any secure place for reinstallaton.

Depending on the graphic-card-driver x11-driver-video-name, for our platform with name=intel choose the X11-Server for mdv2010.0 even before mdv2010.1 refering to all files beginning with x11-server by name. Library-packages have to be installed for the X-Server too that are quit unknown in this context for you. To go sure with the X11-server of mdv2010.1, install all library-packages (lib64....rpm) you need for the program-packages at first, before the installation of the X-Server of mdv2010.1 takes place. So one of the last packages to update are those for the X-Server of mdv2010.1!

Either a programm is working or it is not, that means, it does its introduced functions or it does not. In the first case updates are seldom needed!

Be careful with the installation of many el6-packages. Some can restrict the functionality of mdv2010 (el6, el7), for expample usermode can effect the call by mouseclick of MCC. So collect all previous installed rpm of mdv2010 in a directory for possible reinstallation needs.

For SMP#1 (mainboard with one CPU only), wallpaper´s fly mode of a wallpaper is not recommended.

Method for prevention: already mentioned encryption of the partitons of the harddrive, also from USB-media, at least the encryption of some certain files. You see by all the already red marked passages and text: Although we dare to talk about security for the computer and although all payed amounts and sums in conjunction with computer should be transfered back, of course it is never learnt out.

Data backup and restore


Always keep all installation-packets accessible. During installation phases, even mdv2010 can conflict in some unsolved of the quit infinite package-dependencies.Check out some programs, if the stell do start and run. If the shell or any program does not, use a terminal to start them in order to watch out error-messages as the cause (for packages) why not, in more serious cases use the prefix strace: "strace command-executable-file". If mdv is not booting correctly, the key "i" should be pressed to get into the interactive mode, where almost all should be started except the displaymanager dm.

You can save your SSD possibly forever! Not only two SSD or one more harddrive are needed, you also need a bootable USB-stick or Mindi or Mondo or a Knoppix from DVD resp. on a 250 MB sized partition to execute the command dd for the backup and restore of partitions.

Recommended (PCWelt, 08.08.2015) commands are rsync or fontend grsync, alternatively rdiff, all packages resp. commands are provided for mdv2010. For SSD, in order to save power, work reliable and abstract, we recommend one more SSD or a magnetic backup harddisk, where partitions have to be mirrored 1:1 by partiton manager, rsync its helpful frontend grsync, the command rdiff or special mirror-commands. Such commands full of options really do their best, even over SSH. But for local backups and restores, that means, if you ask us, we just prefer the simple command dd resp. safecopy, depictied below: unbeatbale! Although SSDs do not like dd very much by taking their time with it, dd always seems to reach its end at any time (dd works around 1 GiB per Minute refering to our SSD), or use dd-replacement safecopy, if not. Notice, that dd still does not provide any progress-bar. But do not believe in fairy tales as this certain country is known for, perfer dd, as for example neither the operating system nor oneself does know exactly, what all to backup, which partitions, directories and files, in order to pevent the worst one can happen: new installation, problems during restauration, file manipulation after hacker attacks with vandalism and/or data loss. So resign from so called backup-programs by backuping and restoring always 1:1-partitionwise with dd, here partition sda1 onto partition sdb1:

dd if=/dev/sda1 of=/dev/sdb1


With the reliable dd, your partitions get always restored, if damaged. Therefore never use any other backup-programs for your partitions, don´t be such fool ! It is dd always terminating fine, only not in the case, its environment got damaged, in our example Knoppix from an own partition from SSD resp. harddisc or DVD. Therefore keep the Knoppix-partition on all media, the backuped one and its backupening, beneath Knoppix on DVD and/or USB-Stick.

The only disadvantage of dd is, that dd does not show any progress bar.

If you want to be even more clever for making backups than even dd allows, use dcfldd. This el6-rpm works on mdv2010 like dd, but does show a progressbar. Some more extensions enable fexible-disc-wipes, an resume on error, the estimation of md5-checksums using additional options like "hash=md5" and "md5log=md5.txt" and splitting the output-files.

Although with dd all data backups managed well, even on SSD, it is warned against the use of this command for SSD. http://ubuntuwiki.de/files/ssd/grundlagen.html :
dd does fills unused and empty sectors and blocks with zero, so that the essential spare-area of SSD will not be free anymore. Even the for speed (access-times) important alignment becomes absurd. The amount of write-operarations shortens its life-time.
Therefore the command cp and rsync are recommended.[...]
Clonezilla advantages in transferring only the non-empty blocks during the data-transfer.


Linux-Bot-Net, Heartbleed, Shellshock, glibc-Patch, Bad Cow, ... on the way to Zero Updates, zero Patches and zero Bugfixes


Following distribution offer updates for mdv2010: omv2015, mga, rosa2014, mdv, fc, el7 and el6.

In msec, set "allow-root-login" to "yes", during the updating processes, in order to guarantee the usage of bash-commands and the work with the package-manager rpm.

Make a 1:1-partitionswise backup on an extern media by reliable (even on encrypted partitions) working commands like dd from rescue-DVD or Linux on USB-stick, that can be used for restoring too.

One more aim of updating is to set "allow-root-login" again back to "no", to move all logfiles to shm- (RAM-) directory /tmp, to set the root-partition to "ro" (read-only) and to deactivate the journalling feature of linux-filesystems. This is performed at the very end of this section for reiserfs.

Many cases like bash with the so called Shellshock, glibc, Linux-botnets and openSSL and so on tell us about the of essentiality updates.

Security leak "Dirty Cow" within the Linux-kernel enpossibles prohibited extension of access rights: http://www.pro-linux.de/news/1/24096/sicherheitslücke-im-linux-kernel-ermöglicht-lokale-rechteausweitung.html. In this report apparmor is mentioned, that might generally help. Start apparmor in the background for example in /etc/rc.local by /usr/lib64/apparmorapplet&
This security-lack is known by kernel-developer for many years. Nevertheless, with linfw3 and msec level.secure configured as introduced, Dirty Cow becomes no risk, as an intrusion into the system is conditioned, regardless from patching the kernel or not. Kernel 4.20.13 (PCLinuxOS2019) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos, mga6) resp. kernel 2.6.39.4-5.1 (mdv2011) can be patched with patches from year 2011 up to date from http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/. We made good experiences with this patched kernel.

Plenty of packages of mdv2010 resp. mdv2011 can be updated with CentOS 6, CentOS 7, Rosa2014.1 and Rosa2012, except KDE-Akonadi-Nepomuk for interal dependency (mdv2010: Version 4.4.5) and a few single packages. KDE can be updated completely.

KDE 4.4.5 includes many updates as mentioned by the report http://var-log.de/page/6/ from year 2008: "For the release of 4.2 the KDE-Team fixed thousand errors and builds in many new features missed in KDE 4.2. This beta release gives the oppurtunity to check last errors and bugs. The KDE Team has published a list with significant improvements in 4.2 Beta 2. Since the first beta less than four weeks ago, 1.665 new errors were found out and 2.243 ones got corrected. Sine the release of KDE 4.1.0 more than 10.000 errors wth a strong view upon the stability of KDE 4.2 were fixed Past KDE 4.2 many monthly updates are expected and finally, in summer 2009, KDE 4.3. Signficant improvements of Plasma and KWin, the KDE Workspace... ."

Our KDE solution: KDE as a mix out of kde 4.4.5/4.4.9 (mdv2010.2, November 2011), kde-4.3.4 (el6, actual patched up to year 2026) and kde (4.4.4, OpenSuSE 11.2, end of year 2013)

By mdv2010.0, mdv2010.1, mdv2010.2 and some mdv2011.0, most versions and releases of RPM-packages got fixed and patched well for functionality for around two years- similar to el6 and el7 from year 2010 to 2026. . All update-rpm listed below will lead into an up to year 2026 actual, well functioning Linux. Only the two up to five times patched KDE 4.4.5 (mdv2010.2) is not upgraded. You can keep it or try KDE (omv2015) or KDE of mandriva-successor Rosa2014.1 from pkgs.org for example. In the case of dependency-conflicts, dare to install by package-manager rpm with the option --force and --nodeps (analog Debian), if you keep the preceeding packages beneath you and if you care for the installation packages that are still required, listed by rpm during the installation-process.

Except for Browser, bash and OpenSSL, mdv2010 and Linfw3 make it possible: processes for net-connections (inclusive server resp. all daemons resp. services to activate explicilty) have to be started, build-up and therefore posessed only by the password-protected user "surfuser" belonging to group "surfgroup", while LINFW3 is blocking all other processes not started by surfuser, even those owned by root. The next thing, Linfw3 does, is opening only those ports belonging to such activated services. Furthermore it should be not allowed to chroot, while surfuser is not a member of any user and not any group except surfgroup. To login as root, a root-login should generally not be allowed by configuration (MCC, security settings), and a user must be a member of the group wheel, in order to login as root, what can reduce the time for different works without riscing to much, if LINFW3 protecting with UID-owner surfuser and GID-owner gets activated. Using MCC security an accessless root access can be configured for the command su. In the device-configuration-file /etc/fstab It is also possible, to set the option "noexec" each partition, especially for the partition including the files owned by the user "surfuser". Then the configuration of file-release within LAN and access-rights for directories and files can even prevent the reading of directories and files with sensible data ("chown non-surfuser; chmod 700"): the concept of UNIX-(file)systems! Its a remaining matter of communication-protocols themselves, that can be used (build-up) by the password-protected surfuser through belonging port-releases only. To be more careful than careful, move all sensilbe data to a one more encryted partition or an encrypted extern media, that should be plugged in or read again only the time, suspect services are not activated (when belonging connections are not build-up). This fact is described more in detail below in our section for LINFW3. You can even resign from many updates. But nevertheless, to go sure (over sure) as promised, we are going to describe, how mdv2010 can be kept uptodate almost by the until 2026 actualized Scientificlinux alias CentOS 6 resp 7.

Good luck: Unix/Linux always consists in main of the same software, kernel, grub/lilo, dracut, glibc, X11-Server, window- and desktop-manager like Gnome and KDE with konqueror and kpim out of kmail, knodes, clamav, firefox, OpenOffice and koffice, gimp and so on. In comparison with non OpenSource, this opensource is checked many times for it is read out well. Notice, that many new updates, patches and bugfixes listed in fr2.prmfind.net for mdv and GLSA Gentoo just rely on functionality extensions. Therefore, do not use them. They might not work!

Everything of mdv2010 will run fine and stable on your SSD, except the KDE leading to sink plasmoid Daisy, belonging to the plasmoids like such for the wheather-forecast for example, exchanging data with extern sources. You can always deinstall and deactivate such insecure behaving plasmoids. Although the upgrade of glibc to rosa2014.1, mga3 or higher widens the possibilities, mdv2010 bewares its sensibilities in the case of the installation of wrong packages, that can lead to serious hard system-breakdowns and hangups. Think like the MCC-packet-manager. Beware previous installed packages, until mdv2010 runs stable (reinstallation: rpm -U --force and/or --nodeps).

Have a look into the changelog of each packet. There you get to know about all modificiations by date and the name of the day of the week in descending order, the modification time, name resp. e-mail-adresse of each author (programmer), who has programmed the modification and a short description of the modification itself. It must be at last the publishing organisation, who has checked all this information out using tools like diff. Some updated resp. patched packages can be found out immediately by their high version release number (el6 and el7) like NetworkManager-xxxx-107 (el6), where 99 stands for the 99th release or in addition by the number after the point at the end of the version number (mdk, mdv, mga) like NetworkManager-xxxx-25.2, where "2" stands for the second patch of the version´s release. If the version number differs in the first ciphers, the package almost contains serious hard changes. If the version number differs in end-ciphers only from the already installed one, it gets more likely, that you can use this package for replacement. Right before the version number resp. the end of the package name the short name for the belonging distribution, followed by the kind of processor is named resp. the "noarch" in the case of independency from the processor type. A third person not named in the changelog and list of the packager names would have as much difficulties with the manipulation of the packets as cracking and hacking the computer with the rpm-command and the files on the storage media.

Filesystem, you have several opportunities: reiserfsprogs (omv2015, omv2014) or reiserfs-utils (fc23, el7, el6), e2fsprogs (1.43.2) with lib64ext2fs (rosa2014.1) without uClibc (omv2014, omv2015), uclibc-lib64ext2fs (omv2014, omv2015)
reiserfs-3.6.24-8.5 (OpenSuSE Factory) with libreiserfs, libreiserfs-progs and libreiserfscore0.
The harddrive (SSD) causes errors for some reiserfs-versions during the system boot and checks by reiserfsck. Therefore our choice consists of reiserfsprogs (omv2015) and e2fprogs (rosa2014.1) together with lib64ext2fs (rosa2014.1)- causing no errors anymore.

hdparm (omv2015, rosa2014.1, el7, el6) and sdparm (omv2015, rosa2014.1, el7, el6): adequate SSD-parameters within /etc/rc.local (hdparm -W1a0A0 /dev/sda) support our aim: all on SSD and mouseclick-fast! MCC, gparted and disk manager Palimpsest provides overview, some administration, benchmarks and partitioning.

Notice, that all package-dependencies have to be installed with one package. Otherwise this can cause a state similar to buffe-overrflows, where CPU and RAM seem to have lost their capacities quit working endless.

Next point: specific microcode-update for the CPU. For the mainboard we introduce in data-sheed, ucode-intel (OpenSuSE) and ucode-intel-blob (OpenSuSE) should be installed to follow our aim of mouseclick-fast PC-working.

All updates (since) mdv2007.0 and mdv2010 do regulary refer to, and this is the advantage of UNIX-Systems: buggish software (not much for mentioned mdv), all net-communication-programs like proxy (squid,...), MySQL, telephony, the browser (using ssl3.0 instead of tls as reported by three members of the Google-Team, that means all firefox up to an actual resp. TLS-using version 34 ( unpacking an easy by menu updateable, actual firefox into a directory like /usr/lib64/firefox and choosing "Update Firefox" out of the menu (same for Thunderbird into /usr/lib64/thunderbird), updating firefox in detail, see our section updating firefox. Such

How to block scripts and ads with an ad- resp. script-blocker like konqueror-adblock.so and adblockplus is much more simple than presented by their typical large resource-killing blocking-lists full of pregiven exceptions:
At first all blocking-scripts like easylist have to be removed out of AdblockPlus resp. other adblocker. Many of them contain exceptions. The special convenience for (more) exceptions has to be deactivated too by clicking upon the hook, so that the hook does not appear anymore.
Now, like firewall linfw3, the "trusted"-strategy, "forbidden is, what is not (explicitly) allowed" should be followed.
Therefore the only existant private ad- resp. scriptfilter should just include the following entries:
@@*.css*
||*.js/*
||*.com/*
||*.net/*
||*.de/*
||*.pl/*
*
OK or just the one single char for a star:
*
for all, that could ever be blocked from a website!
That´s all ! It is not a bad idea to allow all stylesheets (css) by adding the one more entry @@*.css* right at the top of the filter list. Very brave ones risk webbugs (scripts with an image output) filtered out by other extensions and add @@*.jpg* , @@*.jpeg*, @@*.gif* and @@*.png* too, that can be allowed in ABP resp. ABL as exceptions each website loaded. Filter-lists from elsewhere like the up-to-date to keep EasyList with their many exceptions are not needed anymore! They just were nonsens, as no more entries are needed (eventually except some more top-sublevel-domains (country-codes) in addition to "*.de/*".

So a single char for the star apriori "*"does already do its very best!

Our final solution: Our complete ABP- resp. ABL-filter-list, especially at the very beginning, just has got the includes:

ABP (Firefox <= ESR 52.9.0):
OK@@*.png*
@@*.css*
@@||*.gif*
@@||*.jpeg*
@@||*.jpg*
@@||*.svg*
*
*.js*
*.pl*
*


ABL (Pale Moon):
OK@@*.png
@@*.css
@@*.gif
@@*.jpeg
@@*.jpg
@@*.svg
*.js
*.pl
*


without any further entries and without any imported filter-lists (full of exceptions and superfluous rules) like EasyList.

Good luck: These few snake-speeded entries do not influence the surf-speed measurable much.

In order to make visible now, what should in your eyes be visible from a loaded website, EXCEPTION by exception should be added to the list almost using wildcards resp. regular expressions after the build-up of the side, until the hidden (blocked) parts get visible. At first, if the css-entry should be missing, think of all Stylesheets (css) to consider as exceptions, while especially most or all Javscript (.js) should still be blocked. To go sure, block *.js and *.pl beneath the general "*" from above in future (as already made in our list above). Enter exceptions for not shown images (if belonging exceptions from above should still be missing) by entries like https://.../*.jpg and https://.../*.png too.
After that, the webside should be loaded one more time (refresh) and JavaScript should be disabled again for the next certain time by "javascript.enabled false" passing "about:config". If the filters of ABP resp. ABL are set as recommended above, beware for Firefox-ESR (and, if you want, also Pale Moon) "javascript.enabled true" as all javascript is already filtered out. Listed extensions will really work fine, if set to true.

Do the same with Firefox-Extension RequestPolicyBlockedContinued just to be even more careful or to do it more additionally, as unknown Tracker already got blocked with their first appearance, until they get allowed by the user.

In the first configuration window set all three hooks, therewith new rules entered can be stored durable and not only temporary.

Next configuration window deals with the ruleset. Enter a new rule by electing "block" and entering a * (star) again into all fields for the new rule. Now the self-blockade of a webside (resp. server) has to be prevented by allowing the belonging rule just for the trusted server itself. If not, images and other objects might get blocked.

There are pregiven rules within the ruleset of RequestPolicyBlockContinued located in a directory far sub /home/surfuser/.mozilla/firefox/default-or-standard-profile with the some json-typed files like allow_functionality.json, allow_sameorg.json and so on, that can also be overworked, if you want..

The private mode can be deactivated by clicking upon settings in Firefox ESR, although this won´t be the truth, that means he won´t become really deactivated through using extension Private Tabs. Or take it the other way: activate the private mode and deactivate him by clicking upon the TAB to deactivate the private mode through Private TAB.


OKIncognito-mode for the protection of the privacy during surfing, PC-WELT.de, 03.11.2019
Windows-10-Browser Edge as much as Google Chrome and Firefox offer a mode leaving no tracks during the surfuing on the PC behind. Howto use this mode in a reliable way:
Whenever you change into the private surf-mode, all during the visit of websites stored information like cookies, history protocols, web-cache, images and videos are deleted resp. removed past the closing of the browser.
This especially interests, if you are surfing with a foreign computer in the web, in order to avoid leaving any tracks behind you. But this is an advantage for your own PC too, as the deletion (removal) of your surf data at the end of each internet-session makes it more difficult for the owner resp. administrators of websites to create user profiles.
[...] Notice, that the private mode does not care for anonymity in the internet Your internet provider (ISP), the administrator of the router of communities or the net administrator in the net of a company is still enabled to evaluate the sites visisted, the links clicked and data transferred.
https://www.pcwelt.de/a/inkognito-modus-privatsphaere-beim-surfen-schuetzen,3450334

Did we mention it, didn´t you know? PHP- and Perl-scripts are interpreted always at first and serversided each website load, before the Javascript and HTML is interpreted client-sided (on the side of the surfer resp. user).

. In the hope,.that user.js from KaiRaven and other authors is copied into the standard-profile-directory, that linfw3 and firejail got installed and configured, /etc/hosts from far below of this website is located and the DNS (in the priority local followed by remote and pdnsd) configured well, the surfing with Firefox ESR can right begin!

During the surfing, noscript and RequestBlockPolicyContinued have to be analyzed past the load of a website. It is your own, free choice to filter out or to pass listed scripts by. If a webseite requires cookies, they can be allowed by the CookieController.

All, that has to be done now after the configuration of listed extensions too, is to start the browser and to click upon the first and only appearing TAB to make it private (working in private mode).

Nevertheless what we have seen works on the base of "trusted" like linfw3 and openssl upon ssl-certificates and so on might do.
But AdblockPlus changed its layout in November 2017 making such configuration impossible. Try elder versions downloadable from fr2.rpmfind.net named mozilla-adblockplus-2.9.1-27 (fc28, fc27, el7, el6), noscript: mozilla-noscript (-5.1.8.6, 5.1.8.5, 5.1.7-1, fc28, fc27, el7, el6) or seamonkey-noscript (el6, 5.1.9-3, recommended noscript for ff-ESR-52.9.0; contains the xpi-installation-file), http://ftp.pbone.net/mirror/archive.fedoraproject.org/fedora/linux/updates/25/armhfp/Packages/m/mozilla-noscript-5.1.7-1.fc25.noarch.rpm.

Noscript, rpm mozilla-noscript (fc29, el7, el6) can enforce ssl-encryption (https) of addressed websites, by entering in a great text-input-field of register HTTPS:

*


Write exceptions below each other in the field below. Firefox-extension https.everywhere, rpm mozilla-https-everywhere (fc, el6 or mozilla.org), is not needed anymore.

The important Firefox-security-extension RequestPolicyBlockedContinued, rpm: mozilla-requestpolicy (-1.0-0.22.20171019git633302 fc29, el7, el6) might contain some pre-defined rules, but it also enables the adding of temporary as much as persistent new rules for user. They might be set generally under target and therefore not under start, using * for any port. You might want to set them for extern loaded fonts and google like *syndication*:*/*, *analytics*:*/*, *tagmanager*:*/*, *usercontent*.*:*, *google.*:*/* and other targets. Install this extension past ABP, but before noscript.

OKSearchplugins (for integrated in search engines) of Firefox /usr/lib64/firefox/browser/searchplugins can be removed except one. If you remove all, the context menu might not build up completely, for example copy and paste of text and links might not function anymore.
To go sure, remove the search-parameters within the remaining xml-searchplugin by a text-editor like nano.

OKIncognito-Mode: Protecting the privacy during the surfing, PC-WELT.de, 06.04.2018
Windows-10-Browser Edge as well as Google Chrome and Firefox provide a mode keeping from tracking the PC.
[...] Firefox-users have to click upon the icon with the three horizontal bars right up in the menu to choose "private windows" or by pressing the keys STRG-P.
https://www.pcwelt.de/a/inkognito-modus-privatsphaere-beim-surfen-schuetzen,3450334

OKCertifcates: Following permissions can be set to the values "Always-ask", "allow" and "block" for each website by clicking on the symbol for the lock and register "Permissions":


OKRemove (quit) all URL resp. URI the browser (including Pale Moon and Tor-Browser) has stored and lists through about:config
about:config -> type into the address-search-line http -> remove listed URL by clicking upon them and exchanging them through a blank (empty string).

Access Your Location
Intall Add-ons
Load Images
Maintain Offline Storage
Open Pop-up Window
Receive Notifications
Set Cookies
Share the Screen
Use the Camera
Use the Microphone

OKFinally one should have read the report for the configuration of firefox-ESR by "about:config": Firefox-Tuning zur Absicherung und Anonymisierung, https://wiki.kairaven.de/open/app/firefox, to understand what we do next. (!!!)
There the configuration of almost overwritten values out of about:config should happen through mozilla.cfg. But this does not work. The include of this file has to be taken over (copied) from mozilla.cfg (installation directory) into defaults/local-settings.js. Now the "forgotten" values are almost set in Firefox ESR.
All entries are listed in http://kb.mozillazine.org/About:config_Entries ´

/******************************************************************************
* /home/surfuser/.mozilla/firefox/your_default_profile_directory00-or-so/user.js *
* https://github.com/pyllyukko/user.js *
******************************************************************************/

// http://kb.mozillazine.org/User.js_file
//
// always enable mouseclick on links and formular text inputs:
// (user_pref("network.protocol_handler.expose_all", true)
//
//====================================================
// section TOR-BROWSER (ff-ESR) only
// ===================================================
// The meek-http-helper extension uses dump to write its listening port number
/// to stdout.

// pale moon- and therefore also ff- extension SecretAgent for setting and changing user agents

user_pref("extensions.SecretAgent.StealthMode", true);

// enable javascript, so that ABP (fc29) of ff will work, but disable it for Pale Moon because of ABL. ABL works even, if disabled.

user_pref("javascript.enabled", true);
//
// disable ftp user_pref("network.protocol-handler.external.ftp" true);
//
//Proxy: always use anonymizing Tor each ff-start

user_pref("network.http.proxy.pipelining", false);
user_pref("network.proxy.no_proxies_on", "");
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 9050);
user_pref("network.proxy.type", 1);

// DNS for Tor: remote DNS lookup at first or local DNS lookup at first. We care especially for the case "false" in future in the excurs-section for DNS-Server

user_pref("network.proxy.socks_remote_dns", false);

// some more settings

user_pref("security.ssl.disable_session_identifiers", false);
user_pref("devtools.remote.wifi.scan", false);
user_pref("devtools.gcli.imgurClientID", "");
user_pref("devtools.remote.wifi.visible", false);
user_pref("browser.dom.window.dump.enabled", true);
//
// Enable (here disable) SPDY and HTTP/2 as they are in Firefox 38, for a matching ALPN extension.
// https://trac.torproject.org/projects/tor/ticket/15512
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("network.http.spdy.coalesce-hostnames", false);
//
// https://support.mozilla.org/en-US/questions/1043508
user_pref("dom.disable_beforeunload", true);

// Disable safe mode. In case of a crash, we Don´t want to prompt for a
// safe-mode browser that has extensions disabled.
// https://support.mozilla.org/en-US/questions/951221#answer-410562
user_pref("toolkit.startup.max_resumed_crashes", -1);

//==============================================
// end section TOR-BROWSER
//==============================================
// Set a failsafe blackhole proxy of 127.0.0.1:9, to prevent network interaction
// in case the user manages to open this profile with a normal browser UI (i.e.,
// not headless with the meek-http-helper extension running). Port 9 is
// "discard", so it should work as a blackhole whether the port is open or
// closed. network.proxy.type=1 means "Manual proxy configuration".
// http://kb.mozillazine.org/Network.proxy.type
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 9);
// Make sure DNS is also blackholed. network.proxy.socks_remote_dns is
// overridden by meek-http-helper at startup.
user_pref("canvas.capturestream.enabled", false);
user_pref("security.csp.experimentalEnabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.popups.disable_from_plugins", 3);
user_pref("privacy.permissionPrompts.showCloseButton", true);
user_pref("privacy.popups.disable_from_plugins", 3);
user_pref("privacy.resistFingerprinting", true);
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
user_pref("security.family_safety.mode", 0);
user_pref("social.directories", "");
user_pref("svg.disabled", true);
user_pref("extensions.enabledAddons", "meek-http-helper@bamsoftware.com:1.0");
user_pref("network.protocol-handler.expose.ftp", false);
user_pref("network.protocol-handler.external.ftp", false);
user_pref("image. animation_mode" "normal");
user_pref("update. interval", 0);
Determines when images should be loaded.
1 (default): Load all images
2: Do not load any images
3: Load images from same (originating) server only
Note: This preference was previously known as
user_pref("permissions.default.image", 1);
//
// PC-Welt.de, https://www.pcwelt.de/ratgeber/Geheime-Tricks-der-Insider-Browser-Geheimnisse-8809751.html
//
user_pref("Media.navigator.enabled", false);
user_pref("Media.peerconnection.enabled", false);
user_pref("Browser.taskbar.previews.enable", false);
user_pref("Privacy.resistFingerprinting", true);
//
//
//
/******************************************************************************
* SECTION: HTML5 / APIs / DOM *
******************************************************************************/
// recommended for Firefox-ESR
// listed settings contribute to anonymizing and increasing speed of firefox up to 100%
// copy to /home/user/.mozilla/firefox/*your_profile_default_directory/
// PREF: Disable Service Workers
// https://developer.mozilla.org/en-US/docs/Web/API/Worker
// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
// NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...)
// Unknown security implications
// CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
user_pref("dom.serviceWorkers.enabled", false);

// PREF: Disable Web Workers
// https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers
// https://www.w3schools.com/html/html5_webworkers.asp
// NOTICE: Disabling Web Workers breaks "Download as ZIP" functionality on https://mega.nz/, WhatsApp Web and probably others
user_pref("dom.workers.enabled", false);

user_pref("browser.tabs.closeWindowWithLastTab", false);

// PREF: Disable web notifications
// https://support.mozilla.org/t5/Firefox/I-can-t-find-Firefox-menu-I-m-trying-to-opt-out-of-Web-Push-and/m-p/1317495#M1006501
user_pref("dom.webnotifications.enabled", false);

// PREF: Disable DOM timing API
// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
// https://www.w3.org/TR/navigation-timing/#privacy
user_pref("dom.enable_performance", false);

// PREF: Make sure the User Timing API does not provide a new high resolution timestamp
// https://trac.torproject.org/projects/tor/ticket/16336
// https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security
user_pref("dom.enable_user_timing", false);

// PREF: Disable Web Audio API
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
user_pref("dom.webaudio.enabled", false);

// PREF: Disable Location-Aware Browsing (geolocation)
// https://www.mozilla.org/en-US/firefox/geolocation/
user_pref("geo.enabled", false);

// PREF: When geolocation is enabled, use Mozilla geolocation service instead of Google
// https://bugzilla.mozilla.org/show_bug.cgi?id=689252
user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");

// PREF: When geolocation is enabled, don´t log geolocation requests to the console
user_pref("geo.wifi.logging.enabled", false);

// PREF: Disable raw TCP socket support (mozTCPSocket)
// https://trac.torproject.org/projects/tor/ticket/18863
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/
// https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket
user_pref("dom.mozTCPSocket.enabled", false);

// PREF: Disable DOM storage (disabled)
// http://kb.mozillazine.org/Dom.storage.enabled
// https://html.spec.whatwg.org/multipage/webstorage.html
// NOTICE-DISABLED: Disabling DOM storage is known to cause`TypeError: localStorage is null` errors
user_pref("dom.storage.enabled", false);

// PREF: Disable leaking network/browser connection information via Javascript
// Network Information API provides general information about the system´s connection type (WiFi, cellular, etc.)
// https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
// https://wicg.github.io/netinfo/#privacy-considerations
// https://bugzilla.mozilla.org/show_bug.cgi?id=960426
user_pref("dom.netinfo.enabled", false);

// PREF: Disable network API (Firefox< 32)
// https://developer.mozilla.org/en-US/docs/Web/API/Connection/onchange
// https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses
user_pref("dom.network.enabled", false);
//
user_pref("network.dns.disableIPv6", true);
//
// PREF: Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox< 42)
// NOTICE: Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...)
user_pref("media.peerconnection.enabled", false);

// PREF: Don´t reveal your internal IP when WebRTC is enabled (Firefox>= 42)
// https://wiki.mozilla.org/Media/WebRTC/Privacy
// https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC
user_pref("media.peerconnection.ice.default_address_only", true); // Firefox 42-51
user_pref("media.peerconnection.ice.no_host", true); // Firefox>= 52

// PREF: Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
// https://wiki.mozilla.org/Media/getUserMedia
// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
// https://developer.mozilla.org/en-US/docs/Web/API/Navigator
user_pref("media.navigator.enabled", false);
user_pref("media.navigator.video.enabled", false);
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.audiocapture.enabled", false);

// PREF: Disable battery API (Firefox< 52)
// https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager
// https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
user_pref("dom.battery.enabled", false);

// PREF: Disable telephony API
// https://wiki.mozilla.org/WebAPI/Security/WebTelephony
user_pref("dom.telephony.enabled", false);

// PREF: Disable "beacon" asynchronous HTTP transfers (used for analytics)
// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
user_pref("beacon.enabled", false);

// PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
// NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
user_pref("dom.event.clipboardevents.enabled", false);

// PREF: Disable "copy to clipboard" functionality via Javascript (Firefox>= 41)
// NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality
// https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3
user_pref("dom.allow_cut_copy", false);

// PREF: Disable speech recognition
// https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
// https://wiki.mozilla.org/HTML5_Speech_API
user_pref("media.webspeech.recognition.enable", false);

// PREF: Disable speech synthesis
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis
user_pref("media.webspeech.synth.enabled", false);

// PREF: Disable sensor API
// https://wiki.mozilla.org/Sensor_API
user_pref("device.sensors.enabled", false);

// PREF: Disable pinging URIs specified in HTML<a> ping= attributes
// http://kb.mozillazine.org/Browser.send_pings
user_pref("browser.send_pings", false);

// PREF: When browser pings are enabled, only allow pinging the same host as the origin page
// http://kb.mozillazine.org/Browser.send_pings.require_same_host
user_pref("browser.send_pings.require_same_host", true);

// PREF: Disable IndexedDB (disabled)
// https://developer.mozilla.org/en-US/docs/IndexedDB
// https://en.wikipedia.org/wiki/Indexed_Database_API
// https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review
// http://forums.mozillazine.org/viewtopic.php?p=13842047
// https://github.com/pyllyukko/user.js/issues/8
// NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled
user_pref("dom.indexedDB.enabled", false);

// TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications"

// PREF: Disable gamepad API to prevent USB device enumeration
// https://www.w3.org/TR/gamepad/
// https://trac.torproject.org/projects/tor/ticket/13023
user_pref("dom.gamepad.enabled", false);

// PREF: Disable virtual reality devices APIs
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
user_pref("dom.vr.enabled", false);

// PREF: Disable vibrator API
user_pref("dom.vibrator.enabled", false);

// PREF: Disable resource timing API
// https://www.w3.org/TR/resource-timing/#privacy-security
user_pref("dom.enable_resource_timing", false);

// PREF: Disable Archive API (Firefox< 54)
// https://wiki.mozilla.org/WebAPI/ArchiveAPI
// https://bugzilla.mozilla.org/show_bug.cgi?id=1342361
user_pref("dom.archivereader.enabled", false);

// PREF: Disable webGL
// https://en.wikipedia.org/wiki/WebGL
// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
user_pref("webgl.disabled", true);
// PREF: When webGL is enabled, use the minimum capability mode
user_pref("webgl.min_capability_mode", true);
// PREF: When webGL is enabled, disable webGL extensions
// https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing
user_pref("webgl.disable-extensions", true);
// PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported
// https://trac.torproject.org/projects/tor/ticket/18603
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
// PREF: When webGL is enabled, do not expose information about the graphics driver
// https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
// https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
user_pref("webgl.enable-debug-renderer-info", false);
// somewhat related...
user_pref("pdfjs.enableWebGL", false);

// PREF: Spoof dual-core CPU
// https://trac.torproject.org/projects/tor/ticket/21675
// https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
user_pref("dom.maxHardwareConcurrency", 2);

/******************************************************************************
* SECTION: Misc *
******************************************************************************/

// PREF: Disable face detection
user_pref("camera.control.face_detection.enabled", false);

// PREF: Set the default search engine to DuckDuckGo (disabled)
// https://support.mozilla.org/en-US/questions/948134
user_pref("browser.search.defaultenginename", "");
user_pref("browser.search.order.1", "");
user_pref("keyword.URL", "");

// PREF: Disable GeoIP lookup on your address to set default search engine region
// https://trac.torproject.org/projects/tor/ticket/16254
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
user_pref("browser.search.countryCode", "US");
user_pref("browser.search.region", "US");
user_pref("browser.search.geoip.url", "");

// PREF: Set Accept-Language HTTP header to en-US regardless of Firefox localization
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
user_pref("intl.accept_languages", "en-US");
user_pref("intl.charset.fallback.override", "UTF-8");

// PREF: Don´t use OS values to determine locale, force using Firefox locale setting
// http://kb.mozillazine.org/Intl.locale.matchOS
user_pref("intl.locale.matchOS", false);

// PREF: Don´t use Mozilla-provided location-specific search engines
user_pref("browser.search.geoSpecificDefaults", false);

// PREF: Do not automatically send selection to clipboard on some Linux platforms
// http://kb.mozillazine.org/Clipboard.autocopy
user_pref("clipboard.autocopy", false);

// PREF: Prevent leaking application locale/date format using JavaScript
// https://bugzilla.mozilla.org/show_b